Nice demonstration of the attack! However, it’s not a new phishing method; it has a name, and it’s called a picture in picture attack.
Ironically the scroll hijacking prevents mobile safari from hiding the url, it’s always full size. But there will be ways around that.
Doesn’t work in Firefox for Android :-)
Safari on iOS 12.2, iPhone X appears to be totally immune to this specific attack: in the “minimized top bar” mode, the browser still shows the domain and an HTTPS indicator.
This man is a monster.
Doesn’t work reliably with Chrome 74.0.3729.112 on Android 8.0.0. Sometimes, both original and forged address bar is visible at the same time. I found that easiest way to replicate this is to quickly scroll up and down after the page is loaded, but it may take some practice.
A nice discovery nonetheless! I could imagine falling for this very easily.