This new phishing campaign uses a fake Google Account security page to steal passcodes and more

News
By published

Hackers don't need an app to steal login credentials anymore

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock)
  • Attackers are abusing Progressive Web Apps (PWAs) on Android
  • Victims lured via phishing site google-prism[dot]com into installing malicious PWA
  • PWA harvests clipboard, crypto wallets, OTPs, GPS, and more

Threat actors have begun turning to Progressive Web Apps (PWA) to do their evil bidding on Android, stealing login credentials, cryptocurrency wallet data, GPS information, and more, experts have warned.

Security researchers from Malwarebytes recently detailed one such campaign they spotted in the wild, starting with a phishing email, luring people to a fake Google site google-prism[dot]com.

Under the pretense of enhanced security, the victims are walked through a four-step “security” check that includes installing a malicious PWA.

Harvesting the data

For those unaware of PWAs, these are websites that can be installed and run like regular apps on the device but operate through the web browser.

Once installed, the PWA asks for permissions to send notifications, access clipboard data, and other browser features, and sets up a service worker to enable push notifications, background tasks, and data staging.

At this point, the malware starts collecting data whenever the app is open. Clipboard contents, cryptocurrency wallet addresses, one-time passwords via the WebOTP API, contacts, GPS data, and device fingerprinting details, are all being harvested. But since the information can be gathered only while the app is open, the PWA will start sending push notifications to the victim, as well.

The PWA would also establish a WebSocket-based relay and HTTP proxy capability, so that the attackers can route web requests, scan internal networks, and even access local resources.

In some cases, Malwarebytes said, the victim is also encouraged to download a “companion app” advertised as a “critical security update” which requests extensive permissions and registers as a device administrator.

This app, obviously for the more gullible ones, enables deeper compromise, including SMS interception, keystroke capture via a custom keyboard, notification monitoring, credential theft, and long-term persistence.

If, by any chance, you’ve installed such an app, you can remove it by looking for a “Security Check” entry in the list of installed apps. If your device has an app called “System Service” with a package name com.device.sync, and if it has admin access, remove the access by going to Settings - Security - Device admin apps, and then uninstall it.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.