UrsaClimb Logo

Fake Google Security site uses PWA app to steal credentials, MFA codes

Bleeping Computer
by Ionut Ilascu
March 2, 2026
AI-Generated Deep Dive Summary
A phishing campaign has emerged using a fake Google Account security page to deliver a malicious Progressive Web App (PWA) that steals sensitive information, including one-time passcodes, cryptocurrency wallet addresses, and real-time GPS data. The attack exploits PWA features to install a web-based application that operates like a legitimate app, bypassing traditional browser controls and installing directly on the user’s device. This campaign uses social engineering tactics, posing as a legitimate security check and requesting permissions under the guise of enhancing device protection. The fake website, google-prism.com, mimics Google's security processes with a four-step setup that tricks users into granting access to their devices. The PWA app harvests sensitive data, such as clipboard contents and SMS verification codes through the WebOTP API. It also acts as an HTTP proxy, allowing attackers to route traffic through the victim’s browser and scan for live hosts on their network. Additionally, the app requests permissions to send notifications, enabling attackers to trigger fake security alerts or data exfiltration tasks. The malware’s service worker component handles push notifications, executes background syncs, and prepares stolen data for transmission. The Android companion app,伪装成安全更新,requires 33 high-risk permissions, including access to SMS texts, call logs, contacts, and microphone usage, which could lead to financial fraud or device compromise. This level of access highlights the potential for severe data theft and privacy violations. The attack underscores the risks associated with malicious PWAs and the importance of verifying app sources and permissions. Users should remain vigilant when encountering security-related requests and avoid granting excessive permissions to untrusted apps. The combination of PWA capabilities, social engineering, and advanced data exfiltration techniques makes this phishing campaign particularly dangerous for both individuals and organizations. This threat highlights the growing sophistication of cyberattacks and the need for stronger security measures to protect against such malicious activities. Users are advised to keep software updated, verify app authenticity, and be cautious of unsolicited security alerts
Verticals
securitytech
Originally published on Bleeping Computer on 3/2/2026