A phishing campaign is leveraging a counterfeit Google Security page to distribute a Progressive Web App capable of stealing one-time passwords, harvesting cryptocurrency wallet addresses, and routing attacker traffic through victims' browsers. The operation uses the domain google-prism.com to present a convincing four-step security setup that requests risky permissions and installs the malicious PWA application. This web-based app runs in its own window without visible browser controls, making it appear as a legitimate standalone program.
Once installed, the PWA can exfiltrate contacts, real-time GPS coordinates, and clipboard contents while also functioning as a network proxy and internal port scanner. The malware utilizes the WebOTP API on supported browsers to intercept SMS verification codes and checks for new commands every thirty seconds through a heartbeat mechanism. Push notification permissions allow attackers to send fake security alerts that prompt victims to reopen the application, enabling continued data theft even when the app is closed.
A companion Android application masquerading as a critical security update requires thirty-three high-risk permissions including SMS access, call logs, microphone, contacts, and accessibility services. This APK registers as a device administrator to complicate uninstallation, sets boot receivers for persistence, and includes a custom keyboard for keystroke capture along with notification listeners. The combined web and mobile malware demonstrates how attackers can weaponize legitimate browser features and social engineering rather than exploiting technical vulnerabilities.
Google does not conduct security checks through pop-ups or request software installations for enhanced protection, as all legitimate tools are available through myaccount.google.com. Affected users should check for a "Security Check" app entry or "System Service" with package name com.device.sync, revoke device administrator access if present, and uninstall both the Android app and the malicious PWA from their browsers. Firefox and Safari users face fewer capabilities from the web app, though push notifications remain functional as a persistence mechanism.
Read more...