A phishing campaign is abusing Progressive Web App technology to steal account credentials and multi-factor authentication codes. The attack uses a fake Google security page to trick victims into installing a malicious web-based app.
The fake Google security site looks convincing and mimics legitimate account protection workflows. Once victims install the app, attackers gain access to passwords, MFA codes, and other sensitive data.
How the Phishing Campaign Works
The attack begins with a spoofed Google security page hosted on a deceptive domain. Victims are told their account requires verification or protection. The page then prompts them to install a “Security Check” app.
Instead of downloading a traditional executable file, victims install a Progressive Web App. PWAs can run in a standalone window without visible browser controls. That design makes them appear similar to native desktop applications.
After installation, the malicious app requests extensive permissions. Victims may grant access to clipboard data, contacts, or location services, believing the app enhances account security.
Credential and MFA Code Theft
Once active, the malicious PWA captures login credentials entered into phishing forms. It also intercepts multi-factor authentication codes, including one-time passcodes sent via SMS.
By collecting both passwords and MFA codes in real time, attackers can bypass account protections. This approach turns MFA into a temporary barrier rather than a full defense.
The app also monitors clipboard activity. If a user copies sensitive information, such as authentication tokens or password manager entries, the attacker can retrieve that data.
Browser Proxy and Device Fingerprinting
The malicious PWA can convert the victim’s browser into an HTTP proxy. This setup allows attackers to route traffic through the victim’s IP address. That tactic helps disguise malicious activity and complicate attribution.
The app also gathers detailed device information. It builds a fingerprint that includes browser configuration, system details, and other identifying markers. Attackers can use this data for follow-up campaigns or resale.
Persistent Background Activity
The campaign relies on service workers to maintain background processes. Even after the user closes the visible app window, the service worker can continue receiving instructions from attacker-controlled servers.
This persistence allows ongoing data collection and remote command execution. Victims may remain unaware that the app continues to operate behind the scenes.
Android Companion Malware
In some cases, victims are prompted to install a companion Android application disguised as a security update. If installed, the mobile app requests broad permissions, including access to SMS messages, contacts, and accessibility features.
These permissions allow attackers to intercept authentication codes and gather additional personal data directly from the device.
Protection and Prevention
Users should treat unexpected security warnings with caution. Legitimate Google security tools do not require installing standalone PWAs from third-party domains.
To reduce risk:
- Verify the full website URL before entering credentials
- Avoid installing apps from unsolicited prompts
- Use passkeys or hardware security keys when possible
- Review installed applications and revoke unnecessary permissions
Organizations should educate employees about PWA-based phishing threats. Modern web technologies can be weaponized without exploiting software vulnerabilities.
Conclusion
The fake Google security site campaign demonstrates how attackers adapt legitimate web technologies for credential theft. By disguising a malicious PWA as a security tool, the operation captures passwords, MFA codes, and device data while maintaining persistence in the background. The incident highlights the need for cautious permission management and stronger authentication methods that resist real-time interception.


0 responses to “Fake Google Security Site Uses PWA App to Steal Credentials”