Ethical Hacking News
A complex phishing campaign is using a fake Google Account security page to deliver a web-based app capable of stealing one-time passcodes, harvesting cryptocurrency wallet addresses, and proxying attacker traffic through victims’ browsers. The attackers have used Progressive Web App (PWA) features and social engineering to deceive users into installing the malware. This attack highlights the importance of users being cautious when interacting with suspicious security-related websites and verifying the authenticity of such sites before providing sensitive information.
Google has been targeted by a complex phishing campaign that uses Progressive Web App (PWA) features to deceive users. The fake security site, "google-prism[.]com", appears legitimate but prompts users to grant high-risk permissions and install malicious software. The malware steals sensitive data such as contacts, GPS coordinates, clipboard contents, and acts as a network proxy. The campaign relies on social engineering to obtain necessary permissions from users under the guise of a security check. The malware also intercepts SMS verification codes using the WebOTP API and builds a device fingerprint for exfiltration. Users can remove the malicious PWA by uninstalling it and revoking device administrator access if present. Cybersecurity experts recommend users stay informed about emerging threats, monitor device activity, and keep devices up-to-date with security patches.
Google has fallen victim to a complex phishing campaign that leverages Progressive Web App (PWA) features to deceive users into installing malicious software. The fake security site, dubbed "google-prism[.]com", appears as a legitimate service from Google, prompting users to grant it high-risk permissions and install a PWA app on their devices. This PWA app can exfiltrate sensitive data such as contacts, real-time GPS coordinates, clipboard contents, and act as a network proxy and internal port scanner, allowing the attacker to route requests through the victim's browser.
The campaign relies on social engineering to obtain the necessary permissions from the user under the guise of a security check and increased protection for devices. The fake website also asks for permission to show notifications, which allows the attacker to push alerts, new tasks, or trigger data exfiltration. Furthermore, the malware uses the WebOTP API on supported browsers in an attempt to intercept SMS verification codes, and checks the /api/heartbeat every 30 seconds for new commands.
According to researchers at Malwarebytes, the focus of the malware is on stealing one-time passwords (OTP) and cryptocurrency wallet addresses. The malicious PWA also builds a detailed device fingerprint and includes a service worker that runs tasks from received payloads and prepares stolen data locally for exfiltration. A key component of the malware is a WebSocket relay that allows the attacker to pass web requests through the browser as if they were on the victim's network.
The researcher highlights that the malicious PWA acts as an HTTP proxy, executing fetch requests with whatever method, headers, credentials, and body the attacker specifies, then returns the full response including headers. Because the worker includes a handler for Periodic Background Sync, which allows web apps in Chromium-based browsers to periodically synchronize data in the background, the attacker can connect to a compromised device for as long as the malicious PWA app is installed.
Users who choose to activate all the security features for their account also receive an APK file for their Android devices that promises to extend protection to the list of contacts. However, this APK file may be used by attackers to siphon additional data from users' Android devices.
To remove the malicious PWA and APK files, Malwarebytes recommends users look for a "Security Check" entry in the list of installed apps and prioritize uninstalling it. If an app called "System Service" with a package name com.device.sync is present and has device administrator access, users should revoke it under Settings > Security > Device admin apps and then uninstall it.
Researchers at Malwarebytes suggest that users take steps to protect themselves from this type of attack by being more cautious when interacting with suspicious security-related websites and verifying the authenticity of such sites before providing sensitive information. Users are also advised to monitor their device activity for signs of suspicious behavior and keep their devices up-to-date with the latest security patches.
In light of this new threat, cybersecurity experts stress the importance of users staying informed about emerging threats and taking proactive measures to protect themselves from falling victim to such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Fake-Google-Security-Site-Exploits-PWA-App-to-Steal-Credentials-and-Siphon-Data-Through-Victims-Browsers-ehn.shtml
https://www.bleepingcomputer.com/news/security/fake-google-security-site-uses-pwa-app-to-steal-credentials-mfa-codes/
https://www.malwarebytes.com/blog/privacy/2026/02/inside-a-fake-google-security-check-that-becomes-a-browser-rat
https://www.forbes.com/sites/daveywinder/2024/08/02/warning-issued-as-hackers-fake-googles-2fa-app-to-steal-your-data/
Published: Mon Mar 2 15:09:07 2026 by llama3.2 3B Q4_K_M
