top of page
perceptive_background_267k.jpg

Fake Google Security site uses PWA app to steal credentials, MFA codes

Published:

2 maart 2026 om 20:23:41

Alert date:

2 maart 2026 om 21:08:05

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Web Technologies, Ransomware & Malware, Identity & Access, Data Breach & Exfiltration, Mobile & IoT

A sophisticated phishing campaign is targeting users with a fake Google Account security page that delivers a Progressive Web Application (PWA). The malicious PWA is designed to steal user credentials, multi-factor authentication (MFA) codes, and cryptocurrency wallet addresses. Additionally, the attack proxies malicious traffic through victims' browsers, making it harder to trace the attackers' activities. This campaign demonstrates an evolution in phishing tactics by leveraging PWA technology to create more convincing and persistent threats that can bypass traditional security measures.

Technical details

A phishing campaign uses a fake Google Account security page to deliver a Progressive Web App (PWA) that steals credentials and MFA codes. The malicious PWA can exfiltrate contacts, real-time GPS data, clipboard contents, and act as a network proxy and internal port scanner. It uses WebOTP API to intercept SMS verification codes, checks /api/heartbeat every 30 seconds for commands, and includes a service worker for push notifications and data exfiltration. The attack includes a WebSocket relay allowing attackers to pass web requests through the victim's browser as an HTTP proxy. A companion Android APK with 33 permissions includes custom keyboard for keystroke capture, notification listener, credential interception service, device administrator registration, boot receiver, and overlay-based attack components.

Mitigation steps:

Be aware that Google does not run security checks through pop-ups or request software installation for protection. Use official Google Account security tools at myaccount.google.com. To remove malicious APK, look for 'Security Check' entry in installed apps and uninstall it. If 'System Service' app with package name com.device.sync has device administrator access, revoke it under Settings > Security > Device admin apps then uninstall. Remove malicious PWA from Chromium-based browsers and Safari following detailed removal steps. Note that Firefox and Safari browsers restrict many malicious app capabilities but push notifications still work.

Affected products:

Progressive Web Apps (PWA)
Google Chrome
Microsoft Edge
Chromium-based browsers
Android devices
Firefox
Safari

Related links:

https://www.malwarebytes.com/blog/privacy/2026/02/inside-a-fake-google-security-check-that-becomes-a-browser-rat
http://myaccount.google.com

Related CVE's:

Related threat actors:

IOC's:

google-prism[.]com, Security Check app, System Service app with package name com.device.sync

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page