Fake Google Security page used in PWA phishing campaign

A sophisticated phishing campaign is exploiting a fake Google Account security page to deliver a malicious web-based application. This Progressive Web App (PWA) is designed to steal one-time passcodes, harvest cryptocurrency wallet addresses, and use victims' browsers as a proxy for attacker traffic, as reported by Bleeping Computer.

The attack uses social engineering and PWA features, making users believe they are interacting with a legitimate Google security page. The campaign employs the domain google-prism[.]com, which mimics a Google security service. Users are guided through a four-step process that requests sensitive permissions and installs the malicious PWA. This app can exfiltrate contacts, GPS data, and clipboard contents. It also functions as a network proxy and internal port scanner. The PWA leverages the WebOTP API to intercept SMS verification codes and uses push notifications to prompt users to reopen the app for data exfiltration.

A companion Android app, masquerading as a critical security update, requests 33 high-risk permissions, including access to SMS, call logs, microphone, and accessibility services, enabling data theft and financial fraud. Users are advised to be wary of unsolicited security checks and to only obtain Google security tools directly from myaccount.google.com.

Source: Bleeping Computer