"The attack starts with a fake security check that asks victims to install a so-called Security Check as a Progressive Web App through a four-step process. Such a PWA runs in a separate window without a visible address bar or browser controls, making it look very similar to a native application and inspiring extra confidence."
"During the process, the site requests notification rights, access to contacts via the Contact Picker API, and GPS location to supposedly verify identity from a trusted location. Everything is presented as extra protection for the account and device. In reality, selected contacts, real-time location data including latitude and longitude, and other information are sent directly to the command-and-control server."
"The PWA explicitly requests permission to read text and images from the clipboard and uses the WebOTP API on supported browsers to automatically intercept SMS verification codes. In addition, the malware periodically checks a heartbeat endpoint for new instructions. Push notifications are strategically used to trick victims into reopening the app with fake security alerts."
A sophisticated phishing campaign uses fake Google security notifications to trick users into installing a Progressive Web App disguised as a legitimate security tool. The PWA operates without visible browser controls, appearing as a native application to build user confidence. During installation, it requests permissions for notifications, contacts, and GPS location under the guise of account verification. The malware intercepts one-time passwords using WebOTP API, steals cryptocurrency wallet addresses, captures clipboard data, and collects device fingerprints. Push notifications serve as restart mechanisms to keep the app active and enable continuous data collection. The campaign targets the domain google-prism.com hosted via Cloudflare, with stolen data sent to command-and-control servers for financial fraud purposes.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]