New Google-Themed Phishing Attack Turns Browser Features Into Spyware

A new phishing campaign is abusing Google branding and Progressive Web Apps to steal sensitive data. Attackers have been tricking users into installing a malicious web app that acts like spyware.

According to BleepingComputer, the campaign uses a fake Google Account security website hosted on the domain google-prism[.]com. The site mimics a legitimate security check and guides victims through a four-step “protection” process.

Fake Google security site pushes malicious PWA

The phishing page pretends to run a Google security verification. Instead, it asks users to grant risky permissions and install a web-based app.

In some cases, victims are also urged to install a companion Android APK described as a “critical security update.” The attackers rely entirely on social engineering, as no software vulnerability is exploited.

What the malicious web app can do

The installed Progressive Web App (PWA) leverages legitimate browser features to carry out malicious activity. It can intercept one-time passcodes through the WebOTP API, harvest cryptocurrency wallet addresses, exfiltrate contacts and clipboard data, track real-time GPS location, function as a network proxy, and even perform internal port scanning on the victim’s local network.

The app checks a remote /api/heartbeat endpoint every 30 seconds to receive attacker commands. It also abuses push notifications to lure victims back into reopening it.

A service worker enables background activity, while a WebSocket relay allows attackers to route HTTP requests through the victim’s browser as if they were inside the local network.

On Chromium-based browsers, the malware can persist using Periodic Background Sync. Even without the Android app, the PWA alone can steal sensitive data and proxy traffic.

Android APK escalates the attack

If victims proceed to install the Android APK, the threat level increases significantly. The app reportedly asks for 33 high-risk permissions, granting it access to SMS messages, call logs, the microphone, contacts, and powerful accessibility services that can control on-screen activity.

It includes a custom keyboard for keystroke capture, a notification listener, credential interception services, and overlay attack components.

The malware registers as a device administrator, sets a boot receiver, and schedules alarms to maintain persistence and hinder removal.

Why is this attack especially dangerous

The campaign does not rely on software exploits. Victims grant permissions willingly, believing they are completing a legitimate Google security check.

Firefox and Safari limit many advanced browser capabilities, but push notifications can still function. On Chromium-based browsers, the attack surface is broader due to advanced PWA features.

Security researchers warn that this technique shows how legitimate browser APIs can be weaponized for full credential theft and network abuse.

How to stay safe

Google does not perform security checks through random pop-ups or require additional app installations.

Legitimate account security tools are only available at myaccount.google.com. If infected users are advised to do the following:

• Remove suspicious apps named “Security Check” or “System Service” (com.device.sync)
• Revoke device administrator access before uninstalling
• Remove the malicious web app from the installed browser apps
• Revoke notification permissions from unknown sites

The campaign highlights how modern browser features can be turned into powerful attack tools through deception alone.

Google is currently testing Gemini anti-scam protection in Chrome, which could help curb similar phishing threats in the future.

At the same time, security researchers have shown that exposed Google API keys can be abused to gain unauthorized access to Gemini AI, and separate reports indicate that attackers have already weaponized Gemini for cyberattacks, fueling broader concerns about AI-driven abuse.