Beware: Fake Google Site Steals Passwords & MFA Codes via PWA

A sophisticated phishing operation is using a counterfeit Google security page to distribute a malicious web application. This threat is designed to steal sensitive information, including one-time passcodes and cryptocurrency wallet details, while also using victims’ browsers to secretly route attacker traffic. The campaign cleverly abuses legitimate web technologies and preys on users’ trust in security prompts.

The attack centers on a deceptive domain, google-prism[.]com, which mimics an official Google service. It guides users through a four-step setup that involves granting dangerous permissions and installing a harmful Progressive Web App (PWA). PWAs function like standard applications within a browser window, making them appear legitimate. Under the guise of a security check, the site tricks users into allowing the PWA to access contacts, real-time GPS location, and clipboard contents. In some cases, it even promotes a companion Android app for “protecting” contacts.

Once installed, the PWA’s capabilities are extensive. It can act as a network proxy and internal port scanner, enabling attackers to route web requests through the victim’s device and map the local network. The malware also requests permission to show notifications, which the attackers use to send fake security alerts. These alerts prompt the user to reopen the app, which is necessary for it to steal clipboard data or intercept one-time passwords via the WebOTP API. The malware checks in with a command server every 30 seconds and builds a detailed fingerprint of the compromised device.

A critical component is a service worker that manages push notifications, executes attacker commands, and prepares stolen data for exfiltration. Researchers highlight a particularly dangerous feature: a WebSocket relay. This allows the attacker to pass HTTP requests through the victim’s browser as if they were originating from the victim’s own network, with the malware fetching and returning full responses. The abuse of the Periodic Background Sync feature in Chromium-based browsers allows this connection to persist as long as the malicious PWA remains installed.

For users who proceed with the fake security setup, an Android APK file is offered. This app, fraudulently labeled as a “critical security update,” demands 33 high-risk permissions. These include access to SMS, call logs, the microphone, contacts, and the accessibility service. The APK contains a custom keyboard to log keystrokes, a notification listener, and a service to intercept auto-filled credentials. To ensure it remains on the device, it registers as a device administrator, sets itself to run on startup, and includes components that could be used for overlay-based phishing attacks within other apps.

This entire scheme exploits user behavior, not software vulnerabilities. By combining convincing social engineering with the legitimate functionality of PWAs, attackers simply trick victims into granting all the permissions needed for the malware to operate. Even without the Android app, the web-based component can harvest contacts, intercept OTP codes, track location, scan networks, and proxy traffic.

It is crucial to remember that Google does not conduct security checks through pop-ups or request software installations for protection features. All legitimate security tools are accessible directly through your Google Account. If you suspect infection, look for an app named “Security Check” or “System Service” (package name com.device.sync) in your installed applications. On Android, revoke its device administrator access in Settings before uninstalling. On desktop browsers like Chrome or Edge, you must remove the malicious PWA from your browser’s application settings. While browsers like Firefox and Safari restrict many of the PWA’s functions, push notifications may still be active and should be revoked.

(Source: Bleeping Computer)