A seemingly legitimate security notification from a Google account turns out to be part of a sophisticated phishing campaign that turns victims’ browsers into full-fledged espionage tools.
Without exploiting vulnerabilities, but through sophisticated social engineering and legitimate web functionality, attackers install a Progressive Web App that is capable of intercepting one-time passwords, stealing crypto wallet addresses, building a detailed device fingerprint, and routing network traffic through the victim’s device.
Researchers at Malwarebytes analyzed the campaign surrounding the domain google-prism.com, which is hosted via Cloudflare. The attack starts with a fake security check that asks victims to install a so-called Security Check as a Progressive Web App through a four-step process. Such a PWA runs in a separate window without a visible address bar or browser controls, making it look very similar to a native application and inspiring extra confidence.
During the process, the site requests notification rights, access to contacts via the Contact Picker API, and GPS location to supposedly verify identity from a trusted location. Everything is presented as extra protection for the account and device. In reality, selected contacts, real-time location data including latitude and longitude, and other information are sent directly to the command-and-control server.
Push notifications as a restart mechanism
According to Malwarebytes, the focus is explicitly on stealing one-time passwords and crypto wallet addresses for financial fraud. The PWA explicitly requests permission to read text and images from the clipboard and uses the WebOTP API on supported browsers to automatically intercept SMS verification codes.
In addition, the malware periodically checks a heartbeat endpoint for new instructions. Push notifications are strategically used to trick victims into reopening the app with fake security alerts, allowing active data collection from the clipboard and OTP codes to continue.
Even without additional malware, the web app is already particularly powerful. A service worker remains active after the window is closed. It can process push notifications and temporarily store stolen data locally until a connection is reestablished. Via a WebSocket relay, the browser also acts as an HTTP proxy, executing fetch requests with specific headers and login credentials. This makes traffic appear to originate from the victim’s IP address. This can expose internal company resources if someone is connected to a corporate network. In addition, the toolkit includes a simple port scanner that scans the local subnet for active hosts.
Those who follow all the steps are also offered an Android APK called System Service with the package name com.device.sync, presented as a critical security update. This requires 33 permissions, including access to SMS, call logs, microphone, contacts, and accessibility services. All of this enables complete device control. This includes keylogging via a modified keyboard, intercepting incoming notifications with MFA codes, and misuse of autofill functionality.
The full functionality works primarily in Chromium-based browsers such as Google Chrome and Microsoft Edge, where Background Sync is also available for long-term persistence. In Firefox and Safari, some APIs such as WebOTP and Contact Picker are limited or unavailable. Push notifications and service workers also remain a real risk there.