Weaponized PWAs: How Fake Security Apps Hijack Trust

March 3, 2026 Faeem BLOGS 0

A new phishing campaign demonstrates how attackers are weaponizing Progressive Web Apps (PWAs) to steal credentials, intercept multi‑factor authentication (MFA) codes, and even proxy traffic through victims’ browsers. By masquerading as a legitimate Google Account security page, the attackers trick users into installing a malicious PWA that operates like a full desktop app — but with hidden capabilities.

The Attack Mechanics

  • Fake domain: google-prism[.]com posed as a Google security service.
  • Social engineering: Users were guided through a four‑step “security check” that requested risky permissions.
  • Malicious PWA: Installed directly from the browser, running in its own window without visible browser controls.
  • Capabilities:
    • Exfiltrates contacts, GPS data, and clipboard contents.
    • Acts as a network proxy and internal port scanner.
    • Uses the WebOTP API to intercept SMS verification codes.
    • Push notifications lure victims back into the app to trigger exfiltration.

Android Companion App

  • Victims were also offered a “critical security update” APK.
  • Required 33 permissions, including SMS, call logs, microphone, and accessibility services.
  • Components included:
    • Custom keyboard for keystroke logging.
    • Notification listener to capture incoming alerts.
    • Overlay attack capabilities for credential phishing.
  • Persistence achieved by registering as a device administrator and auto‑restarting components.

Why It Matters

  • No exploit needed: Attackers rely entirely on legitimate browser features and user consent.
  • Browser as proxy: The malicious PWA relays attacker traffic through the victim’s browser, bypassing traditional detection.
  • Cross‑platform risk: Even without the Android app, the PWA alone can harvest sensitive data and intercept MFA codes.
  • Trust abuse: By mimicking Google’s security branding, attackers exploit the strongest psychological anchor — user trust.

Defensive Recommendations

  • User awareness: Google does not run security checks via pop‑ups or request app installations for account protection.
  • App audits: Look for suspicious entries like “Security Check” or “System Service” with device admin privileges.
  • Browser hygiene: Remove malicious PWAs via Chrome/Edge/Safari settings; restrict notification permissions.
  • MFA hardening: Favor hardware security keys or app‑based authenticators over SMS codes.
  • Network monitoring: Watch for unusual proxy traffic originating from browsers.

Final Thought

This campaign highlights a new frontier: PWAs as attack vectors. By blending legitimate web technologies with social engineering, attackers bypass traditional defenses and turn trust into a weapon. For leaders, the lesson is clear: security awareness must evolve alongside modern app delivery models.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.