Fake Google Security Check Transforms Browser Into Surveillance Toolkit via PWA Installation

A sophisticated phishing campaign has been discovered that transforms web browsers into comprehensive surveillance platforms by masquerading as a Google Account security page. According to Malwarebytes researchers, this attack represents one of the most fully-featured browser-based surveillance toolkits observed in the wild.

Attack Methodology

The attack begins with a convincing replica of a Google Account security alert. Victims are guided through a four-step process that appears to enhance their security but actually grants extensive access to attackers:

1. PWA Installation: Users install the “security tool” as a Progressive Web App, which removes the browser address bar and creates the appearance of a native application
2. Notification Permissions: Framed as enabling “security alerts,” this grants the attacker a persistent communication channel
3. Contact Harvesting: Using the legitimate Contact Picker API, the site tricks users into sharing contacts under the guise of “protection”
4. Location Tracking: GPS data including latitude, longitude, altitude, heading, and speed are exfiltrated under the premise of “identity verification”

Technical Capabilities

The malware operates on two levels. The page script runs while the app is open, attempting to read clipboard contents on focus changes, intercept SMS verification codes via WebOTP API, and build detailed device fingerprints. It polls the command-and-control server every 30 seconds, awaiting operator commands.

The service worker component survives even after closing the browser tab. It handles push notifications, executes background tasks, and queues stolen data locally when offline, automatically flushing the queue when connectivity returns.

Browser as HTTP Proxy

Perhaps the most concerning capability is the WebSocket relay that allows attackers to route arbitrary web requests through the victim’s browser. This enables:

• Access to internal corporate resources if the victim is on a corporate network
• Bypassing IP-based access controls
• Making attacker traffic appear to originate from the victim’s residential IP
• Internal network port scanning from within the browser sandbox

Android Companion Implant

For victims who follow every prompt, the attack delivers a secondary Android APK disguised as a “critical security update.” The 122KB package, labeled “System Service,” requests 33 permissions including:

• SMS and call log access
• Microphone access
• Accessibility service control
• A custom keyboard for keystroke capture
• Notification listener for intercepting 2FA codes
• Autofill service hijacking

Indicators of Compromise

The infrastructure uses the domain google-prism[.]com as the sole command-and-control server, routed through Cloudflare’s CDN.

Protection Recommendations

Organizations and individuals should:

• Train users to verify URLs before granting any browser permissions
• Be suspicious of any “security check” that requests PWA installation
• Regularly audit browser notification permissions and revoke suspicious entries
• Deploy endpoint detection and response (EDR) solutions capable of monitoring browser-based attacks
• Monitor for service worker registrations from unknown domains

This attack demonstrates the evolving sophistication of browser-based threats and the need for comprehensive security awareness training that addresses modern attack vectors beyond traditional email phishing.