Traditional Viruses are non-existent on Chromebooks and other Chrome OS gadgets but other threats can and do appear on the platform thanks almost entirely to Android, according to a recent report published by Malwarebytes Labs. Chrome OS has been capable of running Android applications on devices supporting Google Play since 2016. Although not all apps function properly or display correctly and a lack of root permissions generally limits what those can do to the underlying OS, that brings forward malware that's already on Android handsets and tablets. That means that, in addition to threats found across all browsers in terms of extensions and malicious ads or websites, user data theft and credential theft -- primarily through phishing -- is possible. The creation of a botnet, crypto mining, and other forms of resource mismanagement is a possibility as well as ad fraud and scams involving fake applications.
Background: Chrome OS and the devices sold running the operating system are largely marketed on their ability to handle threats that can be found in other computing environments. For instance, one of Google's most recent advertising campaigns for the products centered almost entirely around errors and software problems found on macOS and Windows hardware. In that ad, those were displayed in all of their glory from the latter OS's infamous 'blue screen of death' and pop-up messages to massive slowdowns and similar issues that generally have a wide variety of causes. Throughout that barrage of frustrating circumstances, themes associated with viruses and malicious software are prevalent, promoting the idea that Chrome OS is inherently safer to use.
Google isn't necessarily wrong to promote the security of its laptop operating system or its stability. To begin with, the company has a long-standing program paying developers who find vulnerabilities, with the intention of rooting out and circumventing or mitigating the worst possible malicious software and problems. There's also a significant degree of separation between Android apps running on the OS and the core of the operating system that helps contain any threats that might arise. The same separation is present with regard to the more recently added ability to download and run Linux apps in containers. Finally, the company has consistently made changes to its app policies, introduced new scanning tools, and worked to remove bad apps from the Play Store, in addition to making changes to Chrome itself that prevent online malicious behavior.
Impact: There don't appear to be any apps that affect Chrome OS directly instead of through Android. So the news largely means that most malware on Chrome OS hinges on the credulity of the user or tricking the user into downloading apps with fake reviews, providing data or information to phishing apps or websites, and similar tactics. It also means that Chromebooks, Chromeboxes, and Chrome OS tablets that support Google Play Store can still be infected by malicious software. The popularity of a given OS typically has an impact on how much effort bad actors will put forward in promoting or generating those types of software and would normally be useful in gauging how big a problem that becomes. Android is already the leading platform in the world for mobile devices so the growth of such malware on Chrome OS will likely worsen primarily as a side effect of more Android app features and support being added. Aside from simply being careful not to visit malicious sites or download bad software, the threat can be further mitigated by using anti-malware software from a trusted publisher.