Warning: A fake Google website is stealing passwords and security codes. Here's how you can spot it.
A new phishing campaign impersonates Google's security systems with a particularly sophisticated strategy: it steals credentials, two-step verification codes, and other sensitive device data via a progressive web app (PWA). A new phishing campaign impersonates Google's security systems with a particularly sophisticated strategy: it steals credentials, two-step verification codes, and other sensitive device data via a progressive web app (PWA).
This attack uses social engineering and legitimate browser functions to trick victims into thinking they're performing an official security check. This attack uses social engineering and legitimate browser functions to trick victims into thinking they're performing an official security check. To achieve this, cybercriminals use a fake domain that mimics the purported Google Account Protection page.
The fake website displays a four-step installation process that encourages the user to grant advanced permissions and install a malicious web application. Progressive Web Applications (PWAs) can be installed from the browser and run as standalone programs, in their own window and without the browser's usual controls, thus enhancing their legitimate appearance.
According to Malwarebytes researchers, the application is capable of extracting contacts, real-time location data, and clipboard contents. Furthermore, it can function as a network proxy and internal port scanner, allowing attackers to redirect traffic through the victim's browser and discover active devices within their local network.
One of its primary objectives is to intercept verification codes sent via SMS in compatible browsers. The application also requests permission to send notifications, allowing it to display fake alerts designed to trick the user into reopening the Progressive Web App (PWA) and performing additional tasks or stealing more information.
The campaign is also distributing an Android APK file presented as a "critical security update," falsely claiming to be Google-approved. This file requests up to 33 high-risk permissions, including access to SMS messages, call logs, microphone, and accessibility services.
Its components include a custom keystroke capture keyboard, a notification reader, and data storage mechanisms that make uninstalling it difficult. Researchers note that Google does not conduct security checks via pop-up windows, nor does it require the installation of additional software from external websites.