DEV Community

DeepSeaX
DeepSeaX

Posted on

Fake Google Security Alert Installs PWA That Steals MFA Codes

#phishing #mfa #browsersecurity #progressivewebapp

A phishing campaign posing as a Google Account security check is tricking users into installing a Progressive Web App (PWA) that functions as a full browser-based RAT — stealing MFA codes in real time, harvesting cryptocurrency wallets, and turning the victim's browser into a network proxy. This isn't your typical credential phishing page.

What Happened

Reported by Malwarebytes researcher Stefan Dasic in February 2026, the campaign operates from the domain google-prism[.]com, which presents victims with a convincing Google Account security page. Instead of simply harvesting credentials, the page prompts users to "install" a security app — actually a PWA that gains persistent access to the browser with extensive permissions.

What makes PWA phishing particularly dangerous: once installed, the browser address bar disappears. The victim sees what appears to be a native Google application with no visible URL to verify legitimacy.

Technical Breakdown

The Attack Chain

  1. Initial lure — victim receives link to google-prism[.]com (via email, SMS, or ad redirect)
  2. Fake security check — page mimics Google's account security UI, warns of "suspicious activity"
  3. PWA installation prompt — user is asked to install a "Google Security" app for "enhanced protection"
  4. Permission harvesting — PWA requests contacts, location, notifications, and clipboard access
  5. Persistent C2 — installed PWA beacons to /api/heartbeat every 30 seconds for new commands

Capabilities (Browser RAT)

Once installed, the PWA operates as a multi-function RAT with capabilities mapped to MITRE ATT&CK:

Capability Technique Detail
MFA theft T1111 Abuses WebOTP API to intercept SMS verification codes in real time
Credential harvest T1056 Fake login form captures Google credentials before forwarding to real site
Clipboard monitoring T1115 Targets cryptocurrency wallet addresses for clipboard hijacking
Location tracking T1430 Real-time GPS exfiltration via Geolocation API
Contact exfil T1636.003 Harvests device contacts via Contacts API
Network proxy T1090 Routes attacker traffic through victim's browser
Port scanning T1046 Scans internal network for live hosts from within the browser context

The WebOTP API Abuse

This is the most technically interesting part. The WebOTP API was designed to let legitimate websites auto-read SMS OTP codes. The phishing PWA abuses this by:

  1. Requesting the otp-credentials permission during "security setup"
  2. Listening for incoming SMS containing OTP patterns
  3. Exfiltrating intercepted codes to the C2 server before they expire
  4. Simultaneously submitting them to the real Google login page (real-time MFA relay)

This effectively turns SMS-based 2FA into a single factor — the attacker has both the password (from the fake form) and the OTP (from WebOTP interception) simultaneously.

Android APK Escalation

On Android devices, the campaign goes further by offering an APK download disguised as a "Google Security" app. The APK includes:

  • Keylogging keyboard — replaces the default input method
  • Notification monitoring — reads all push notifications (including auth app codes)
  • Accessibility service abuse — screen monitoring and interaction capture
  • Device admin persistence — prevents easy uninstallation

Detection & Hunting

Sigma Rule for PWA Installation Monitoring 

title: Suspicious PWA Installation from Non-Trusted Domain
id: 8c3f1e2d-4a5b-6c7d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects PWA installations from domains mimicking Google services
logsource:
  product: chrome
  category: browser_event
detection:
  selection_domain:
    url|contains:
      - 'google-prism'
      - 'google-security'
      - 'google-protect'
      - 'account-verify'
  selection_action:
    action: 'pwa_install'
  condition: selection_domain or (selection_action and not url|contains 'google.com')
level: high
tags:
  - attack.credential_access
  - attack.t1111
  - attack.t1056
Enter fullscreen mode Exit fullscreen mode

IOCs 

# Domain
google-prism[.]com

# Behavioral indicators
- PWA manifest requesting: geolocation, notifications, clipboard-read, contacts
- Heartbeat beacon: GET /api/heartbeat (30-second interval)
- WebOTP API permission request from non-Google origin
Enter fullscreen mode Exit fullscreen mode

Enterprise Detection

  • Chrome Enterprise: Block PWA installations from non-allowlisted domains via WebAppInstallForceList policy
  • MDM/EDR: Alert on APK sideloading with accessibility service + device admin permissions
  • Network: Monitor for 30-second beacon intervals to newly registered domains
  • Email gateway: Block links to domains registered < 30 days with Google brand terms

Mitigation Steps

  1. Block google-prism[.]com and related domains at DNS/proxy level
  2. Disable WebOTP API in enterprise Chrome via AutoSelectCertificateForUrls policy where SMS OTP isn't needed
  3. Switch from SMS 2FA to FIDO2/passkeys — hardware keys are immune to WebOTP interception
  4. Restrict PWA installations — Chrome Enterprise policy DefaultWebAppInstallSetting = block
  5. User awareness — Google never asks to install apps via web pop-ups; all security features live at myaccount.google.com

Why This Matters

PWA-based phishing represents an evolution beyond traditional credential harvesting. By combining real-time MFA interception, persistent browser access, and RAT capabilities in a single package, attackers no longer need to deliver malware binaries — the browser itself becomes the implant. As browsers gain more native APIs (WebOTP, Contacts, Geolocation), the attack surface for PWA-based threats will only grow.

Defenders: treat PWA installation events with the same suspicion as executable downloads.

Sources: Malwarebytes, BleepingComputer

Need help assessing your exposure? Request a Beta Tester Program — currently in open beta.

Top comments (0)