iOS sandboxes apps which means an app, if it’s malicious in itself and has managed to get past the App Store, cannot mess with or access data stored in another app. With any iOS device, it’s assumed with good reason that your browser cannot be hijacked by some other app, or indeed even by a malicious website but if you’re using Chrome, that might not be true. Back in December 2015, I experienced first-hand ads being injected on websites that I accessed in Chrome on my iPhone. The device isn’t jailbroken and the website I was visiting at the time was one I had visited often in the past without an ad ever appearing. It took a two months to get to the bottom of where the ads were coming from but I ultimately realized it was cookies that were responsible for it.
Chrome for iOS, like every other app built for iOS, cannot be hijacked by other apps installed on a device so when my browser began opening new tabs and redirecting me to ads, I wasn’t entirely sure why it was doing so.
The ads were from two well known malicious ad injecting names; terraclicks and DNSUnblocker. They were appearing on an e-Commerce website that never displayed ads and the ads were of competing products. Once I verified I was the only one seeing these ads, I knew the problem was with my phone, or with my browser app. The ads refused to go away and were so intrusive that I couldn’t navigate a website. I ended up deleting the Chrome for iOS app from my phone, and installing it again.
Removing the app did the trick and for a whole month, I wasn’t plagued by any ads. Then it started happening again and this time, the ads were far more annoying. Something as simple as tapping and holding on my screen to scroll down a webpage would trigger the ads. A new tab would open each time and again, I was unable to navigate websites. It was time to dig deeper.
I browse the internet sparingly on my phone since I’m usually in front of a larger screen i.e., my desktop for most of the day. I can count the websites I visit on my phone and know for a fact that they are trustworthy. The same can’t be said for my browsing activity on the desktop where I will risk visiting links that don’t look all that safe so perhaps I did visit a malicious website that saved a malicious cookie to my browser. The only question is, how did it get on my phone? The answer is that I helped get it there. I have sync set up so that my browsing history, bookmarks, etc., sync between Chrome on my desktop to Chrome on my iPhone.
To get rid of the ads this time around, I simply deleted the cookies in Chrome on my iPhone. The ads went away instantly and have not reappeared since. I’ve made a point to prevent cookies from being saved in Chrome on both the desktop and on my iPhone. It’s a pain, of course, but no ads so far. I’ve also switched off sync from my desktop to be extra safe.
The problem has not surfaced again but I do still have unanswered questions. I don’t know if the cookies that caused the ads to appear were saved to my desktop and then synced to my phone, or if they saved directly on my phone and then began displaying ads. It’s also alarming that cookies, which are normally considered super harmless are the apparent cause of all this.