Cybersecurity experts have warned that a new phishing campaign is being carried out through fake security websites that use Progressive Web App (PWA) technology to steal user login credentials, OTP codes, and cryptocurrency wallet data. The campaign is based on deceiving users by posing as a security verification service.
google-prism[.]com Impersonation
According to reports, the attack is being operated through the fake domain google-prism[.]com, which attempts to impersonate a security service associated with Google. The website displays a four-step setup process in which users are asked to grant risky permissions and install a suspicious PWA application.
Researchers explained that the campaign relies heavily on social engineering to convince users that their device security is being checked. The fake page claims to provide “additional protection” and requests sensitive permissions such as clipboard access, notifications, and other high-risk privileges.
Security experts said the PWA app is particularly dangerous because it can function like a standalone application inside the browser. Once the user grants permissions during the fake security process, the attack begins. The malicious app can steal text copied to the clipboard, GPS location data, and contact lists stored on the device.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
Network Proxy and WebOTP Abuse
The report also states that the malware can act as a network proxy. This means attackers can route internet requests through the victim’s browser and identify active hosts within the local network.
The attack also attempts to intercept SMS-based one-time passwords (OTP) using the WebOTP API. The malicious site checks the /api/heartbeat endpoint every 30 seconds to receive new commands from the attacker.
Researchers from cybersecurity company Malwarebytes said that the malware also performs detailed device fingerprinting, enabling attackers to track user online behavior. The most alarming finding is the presence of a WebSocket relay system inside the PWA app, allowing attackers to send network requests through the victim’s browser.
HTTP Proxy Capabilities
Experts explained that the malware can function like an HTTP proxy, executing fetch requests with attacker-defined headers, methods, and credentials, and returning the complete response including headers. This capability significantly increases the risk of financial fraud and account compromise.
Push Notifications and APK Threats
The cybersecurity report also found that the malicious PWA abuses Push Notification and Periodic Background Sync features. Fake security alerts are sent through notifications to force users to repeatedly open the app.
In addition, a suspicious Android APK is being distributed as a “critical security update”. The APK demands 33 high-risk permissions including access to SMS, call logs, microphone, contacts, and accessibility services.
Researchers warned that the APK contains components such as a custom keyboard designed to record keystrokes, a notification listener to capture incoming notifications, and an autofill credential harvesting module. To maintain persistence, the malware can also register itself as a device administrator, making removal difficult.
Safety Recommendations Issued
Security specialists said that genuine security checks are never performed through website pop-up windows. Users are advised to manage security settings only through the official account portal. If an application named “Security Check” or a package named com.device.sync is found on the device, it should be removed immediately.
Experts further advised users to avoid installing PWA applications from unknown websites, restrict notification permissions, and uninstall suspicious APK files immediately. The report also noted that browsers such as Firefox and Safari have limited exposure to this malware, although push notification threats may still persist.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
