Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Tuesday recap

NewsDealsSocialBlogsVideosPodcasts
HomeTechnologyCybersecurityNewsFake Google Security Site Uses PWA App to Steal Credentials, MFA Codes
Fake Google Security Site Uses PWA App to Steal Credentials, MFA Codes
CybersecurityEnterpriseDefense

Fake Google Security Site Uses PWA App to Steal Credentials, MFA Codes

•March 2, 2026
0
BleepingComputer
BleepingComputer•Mar 2, 2026

Why It Matters

The attack demonstrates how legitimate browser features can be weaponized without exploiting software bugs, expanding the threat surface for both consumers and enterprises. Compromised browsers become entry points for credential theft, financial fraud, and lateral movement within corporate networks.

Key Takeaways

  • •Fake Google site uses PWA to steal OTPs
  • •Malware proxies traffic via victim's browser
  • •Companion Android APK requests 33 high‑risk permissions
  • •WebOTP API intercepts SMS verification codes
  • •Service worker enables persistent background data exfiltration

Pulse Analysis

Progressive Web Apps have blurred the line between native software and web content, offering users seamless installation directly from a browser. Attackers now exploit this convenience by embedding malicious code in seemingly benign sites, sidestepping traditional exploit chains. By leveraging PWA capabilities—such as service workers, push notifications, and background sync—phishers can maintain a foothold on a victim’s device long after the initial click, turning ordinary browsers into covert data exfiltration tools.

The technical sophistication of the campaign lies in its multi‑layered approach. The web app harvests clipboard data, GPS coordinates, and contacts while using the WebOTP API to intercept SMS‑based two‑factor codes. Its service worker acts as an HTTP proxy, enabling attackers to issue arbitrary fetch requests, scan internal networks, and relay traffic through the victim’s browser. The optional Android companion further escalates risk, demanding 33 permissions, registering as a device administrator, and installing a custom keyboard to capture keystrokes. Together, these components create a persistent, cross‑platform espionage platform that can siphon financial credentials and facilitate broader network intrusion.

Mitigation hinges on user education and strict permission hygiene. Organizations should enforce URL filtering to block look‑alike domains like google‑prism.com and disable unnecessary browser APIs such as WebOTP and background sync where feasible. End users must verify that Google security checks only occur within the official myaccount.google.com portal and avoid installing unsolicited PWAs or APKs. Security teams can monitor for anomalous proxy traffic and service worker registrations, while endpoint protection should flag applications requesting excessive device‑admin privileges. As browsers continue to adopt native‑app features, vigilance against socially engineered PWA attacks will become a critical component of modern cyber defense.

Fake Google Security site uses PWA app to steal credentials, MFA codes

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...