6

Running Chromium 60.0.3112.11 on Linux Ubuntu 16.04

  1. Chromium attempts to access my Linux machine's media upon autocompleting bankofamerica.com, wellsfargo.com, americanexpress.com, or discover.com.

  2. Chromium also attempts to access my Linux machine's media upon searches in Google for the following bank-related strings: 'bank'; 'american'; 'bank of america'; 'wells fargo'; 'american express'; 'discover'; 'american express card'; 'discover card'; 'discover card services'; but not for: 'bank of america customer service'; 'bank of america interest rates'; 'wells fargo customer service'; 'wells fargo interest rates'; 'american express card services'; 'discover card bill pay'; 'banks'; 'america'; and all other banking and non-banking related strings that I have checked.

  3. Chromium accesses my navigation entry screenshot manager upon resubmission of any URL. This could be a remnant of having used Selenium in the past to control the chromium-browser but thought this should be mentioned given the nature of the previous two bugs.

Documentation is as follows:

    me@linuxmachine:~$ chromium-browser &
    [1] 2496

4a. The error:

    [1:13:0901/211311.279992:ERROR:adm_helpers.cc(62)] Failed to query stereo recording.

is prompted by autocompleting in the address bar: bankofamerica.com, americanexpress.com or searches in Google for: 'bank of america','american express','american express card'

4b. The error:

    [2496:2496:0901/211421.675100:ERROR:web_contents_delegate.cc(199)] WebContentsDelegate::CheckMediaAccessPermission: Not supported.
    [2496:2496:0901/211421.675126:ERROR:web_contents_delegate.cc(199)] WebContentsDelegate::CheckMediaAccessPermission: Not supported.

is prompted by autocompleting in the address bar: wellsfargo.com or searches in Google for: 'wells fargo','american'

4c. The error:

    [2496:2496:0901/211631.723037:ERROR:web_contents_delegate.cc(199)] WebContentsDelegate::CheckMediaAccessPermission: Not supported.
    [2496:2496:0901/211631.723065:ERROR:web_contents_delegate.cc(199)] WebContentsDelegate::CheckMediaAccessPermission: Not supported.
    [1:13:0901/211633.046282:ERROR:adm_helpers.cc(62)] Failed to query stereo recording.

is prompted by autocompleting in the address bar: discover.com or searches in Google for: 'discover', 'discover card', 'discover card services'

4d. The error:

[2496:2496:0901/212845.137648:ERROR:navigation_entry_screenshot_manager.cc(134)] Invalid entry with unique id: 55

is prompted by resubmission to the browser of any URL that Chromium has already navigated to.

5.. Questions:

Can any forum members please comment on these Chromium errors and the possibility that they are produced by malware that is targeting my financial data? Specifically:

  1. Are they predicted responses to known malware, and if so, what is the name and origin of the malware, the files known to serve as hosts, and the proper method of remediation of an infected system?
  2. How much of a concern should I harbor for my brower or system safety and the safety of my financial data given the nature of these errors?
  3. How should I properly contain and address the threats to my browser or system and restore Chromium to proper function?
Anders
  • 64,406
  • 24
  • 178
  • 215
anon
  • 69
  • 3
  • 2
    You didn't mentioned where you get the chromium source from, and there is no sha256sum to confirm whether the version the source is intentionally injected by malicious code. – mootmoot Sep 13 '17 at 14:51

2 Answers2

1

Because Chromium is open source, you can verify that these log messages are pretty much normal. The association of their timing with financial-related strings are not.

The CheckAccessPermission log is coming from here: chromium/src/content/public/browser/web_contents_delegate.cc. If we follow up the call chain, we find MediaDevicesManager in media_devices_permission_checker.cc, where we can see that these functions are called when web or extension content is attempting to access your microphone or camera.

Because it seems like this could possibly be the fault of a poorly implemented extension, and also because Chrome extensions are the most likely culprit of fishy behavior by the browser, I recommend performing an audit of your extension list at chrome://extensions . Try disabling extensions one-by-one until the behavior goes away. Verify that this does not happen in an incognito / private window, which extensions are by default not allowed access to. (If any extensions are marked as "allow in incognito windows", uncheck that box before testing.)

Riking
  • 304
  • 1
  • 9
0

None of the error messages you have posted are indicative of malware in your browser. Connecting to a new origin will often trigger the creation of a new renderer process from the zygote, and the new renderer will interact with the host process. During that interaction, it may connect to the media sources (or fail to do so, as in your case).

If you have concerns about malware, and wish to be reassured, I would run a scan with ClamAV (since you mention you are on Linux), or monitor the outgoing traffic using Wireshark to see if there is any traffic to suspicious hosts.

David
  • 15,814
  • 3
  • 48
  • 73
  • 1
    ClamAV is very unlikely to detect browser malware, and it is designed for Windows malware anyway (even though it can _run_ on Linux). – forest Feb 09 '18 at 02:16