A phishing campaign is using a spoofed Google Account security page to distribute a malicious Progressive Web App (PWA). The app is designed to steal one‑time passcodes, collect cryptocurrency wallet addresses, and turn victims’ browsers into proxies for attacker traffic. Review this Cybersecurity Threat Advisory for more details on how to protect your environment.
What is the threat?
The fake Google security site is part of a phishing scheme that imitates legitimate Google account verification pages. Victims are directed to it through links that appear genuine, often delivered via email, ads, or compromised websites.
Instead of presenting a typical phishing form, the attackers trigger installation of a PWA directly in the victim’s browser, making the interface resemble a trusted application. Key attributes include:
- Deceptive “security alert” pop‑ups
- Prompts to re‑verify or sign back in
- Windows that mimic native system dialogs
- Real‑time harvesting of user credentials
Unlike standard phishing sites, the PWA can remain active even after the browser closes, making detection more difficult.
Why is it noteworthy?
This campaign blends social engineering with PWA functionality to make the fake Google security page appear legitimate. The attackers use the domain google-prism[.]com, guiding victims through a four‑step process that requests sensitive permissions and ultimately installs the malicious PWA.
Once installed, the app can exfiltrate contacts, GPS location, clipboard data, and operate as a network proxy and internal port scanner. It also abuses the WebOTP API to capture SMS verification codes and uses push notifications to draw victims back into the app for continued data theft.
A related Android app—disguised as an urgent security update—requests 33 high‑risk permissions, including SMS, call logs, microphone access, and accessibility services. These permissions enable broad data theft and potential financial fraud. Users should be cautious of unsolicited security prompts and only access Google account tools directly at myaccount.google.com.
What is the exposure or risk?
This phishing campaign exposes victims to significant risks, including full account takeover and financial loss. Although many users trust multi‑factor authentication (MFA), attackers bypass it using real‑time interception: the fake page prompts victims for their credentials and verification codes, which are immediately relayed to the attackers. They then log in and capture valid session tokens before they expire. This adversary‑in‑the‑middle (AiTM) approach lets criminals authenticate simultaneously with the victim, effectively undermining MFA protections.
Most victims report that nothing felt suspicious, but there are subtle warning signs: unexpected security alerts, prompts to install a web app as part of “verification,” login pages not hosted on official Google domains, pop‑ups behaving like standalone apps, and slightly altered URLs or redirects.
What are the recommendations?
Barracuda strongly recommends taking the following actions:
- Don’t trust pop‑ups or emails prompting you to “verify” or “secure” your account.
- Manually type myaccount.google.com or use the Google app—never click security links in messages or ads.
- Don’t accept “Install app” or “Add to Home screen” prompts unless you initiated the process on a trusted site.
- Check browser settings (Chrome/Edge > Apps/Installed apps) and remove any unknown PWAs.
- Install Google or security‑related apps only from the Google Play Store and official developer listings.
- Use an authenticator app (e.g., Google Authenticator, Authy) instead of SMS to reduce risk from WebOTP abuse.
References
For more in-depth information about the recommendations, please visit the following links:
- Fake Google Security site uses PWA app to steal credentials, MFA codes
- Fake Google Security page used in PWA phishing campaign | brief | SC Media
- Google Fake Security Site: 7 Urgent Risks Revealed | DarknetSearch
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.