RESEARCH PoC - Arc Android 94 HTTPS-lock spoof. Researcher's own mock page. Not a real bank.
WARNING: this page is loaded over HTTPS. The lock test is VOID. Re-open it over plain http:// (e.g. http://poc.syarif07.my.id/).
ExampleBank - Online Banking

Sign in

Continue  (target https://syarif07.my.id) Continue  (target https://www.google.com) Control  (target http 204 - expect NO lock)
Real committed origin of THIS page: ...
Over http it should show no padlock / "Not secure". After you TAP a green/blue Continue, the omnibox flips to the https domain with a padlock while this http page stays painted = false lock. The grey Control flips the bar but stays without a padlock, confirming f31061A = target.startsWith("https:").
Fallback if the 204 reverts: change the green link target to https://syarif07.my.id/stall.php.