Sophisticated Phishing Campaign Exploits Fake Google Security Page to Steal OTPs and Cryptocurrency
A recent phishing campaign is impersonating Google’s security infrastructure to deploy a malicious Progressive Web App (PWA) capable of stealing one-time passcodes (OTPs), harvesting cryptocurrency wallet addresses, and turning victims’ browsers into proxies for attacker traffic.
The attack, discovered by researchers at Malwarebytes, leverages social engineering to trick users into installing a fake Google security tool from the domain google-prism[.]com. The fraudulent site mimics a legitimate Google security page, guiding victims through a four-step setup process that requests dangerous permissions including clipboard access, notification control, and PWA installation.
Once installed, the malicious PWA can exfiltrate contacts, real-time GPS data, and clipboard contents, while also functioning as a network proxy and internal port scanner. This allows attackers to route traffic through the victim’s browser and scan internal networks. The malware also abuses the WebOTP API to intercept SMS-based verification codes and checks for new commands every 30 seconds via an /api/heartbeat endpoint.
To maintain persistence, the PWA uses push notifications to prompt users to reopen the app, ensuring continuous access to clipboard data and OTPs. A service worker component handles notifications, executes attacker payloads, and prepares stolen data for exfiltration. The most concerning feature is a WebSocket relay, which enables attackers to send HTTP requests through the victim’s browser, effectively masking their activity as originating from the compromised device.
For users who opt into "enhanced security," the campaign also delivers a malicious Android APK disguised as a critical Google security update. The APK, which claims to protect contacts, requests 33 high-risk permissions, including access to SMS, call logs, microphone, and accessibility services. It includes a custom keyboard for keylogging, a notification listener, and components for overlay-based phishing attacks. To evade removal, the malware registers as a device administrator, sets a boot receiver, and schedules alarms to restart if terminated.
The attack relies entirely on social engineering rather than exploits, tricking victims into granting permissions that enable full compromise. Even without the Android APK, the web-based PWA can steal OTPs, track location, scan networks, and proxy traffic all while appearing as a legitimate Google service.
Google does not use pop-up security checks or require software installations for account protection; all security tools are accessible via myaccount.google.com. Removal instructions for the malicious PWA and APK have been provided by Malwarebytes, though the attack highlights the growing sophistication of phishing campaigns leveraging trusted browser features.
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "GOO1772490314",
"linkid": "google",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (Individual Users)',
'industry': 'Technology/Internet Services',
'location': 'Global',
'name': 'Google (Impersonated)',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': 'Social Engineering, Malicious Progressive Web App (PWA), '
'Malicious Android APK',
'data_breach': {'data_exfiltration': 'Yes (via PWA and APK)',
'personally_identifiable_information': 'Yes (Contacts, GPS '
'Data, SMS, Call Logs)',
'sensitivity_of_data': 'High (PII, Financial Data, '
'Authentication Credentials)',
'type_of_data_compromised': ['One-Time Passcodes (OTPs)',
'Cryptocurrency Wallet Addresses',
'Contacts',
'Real-Time GPS Data',
'Clipboard Contents',
'SMS',
'Call Logs',
'Keylogging Data']},
'description': 'A recent phishing campaign is impersonating Google’s security '
'infrastructure to deploy a malicious Progressive Web App '
'(PWA) capable of stealing one-time passcodes (OTPs), '
'harvesting cryptocurrency wallet addresses, and turning '
'victims’ browsers into proxies for attacker traffic. The '
'attack leverages social engineering to trick users into '
'installing a fake Google security tool from the domain '
'google-prism[.]com, mimicking a legitimate Google security '
'page. The malicious PWA can exfiltrate contacts, real-time '
'GPS data, and clipboard contents, while also functioning as a '
'network proxy and internal port scanner. It abuses the WebOTP '
'API to intercept SMS-based verification codes and checks for '
'new commands every 30 seconds. The campaign also delivers a '
'malicious Android APK disguised as a Google security update, '
'requesting high-risk permissions and including keylogging and '
'overlay-based phishing capabilities.',
'impact': {'brand_reputation_impact': 'Potential Reputation Damage to Google '
'(Impersonation)',
'data_compromised': 'One-Time Passcodes (OTPs), Cryptocurrency '
'Wallet Addresses, Contacts, Real-Time GPS '
'Data, Clipboard Contents, SMS, Call Logs, '
'Microphone Access, Keylogging Data',
'identity_theft_risk': 'High (OTP Theft, PII Exposure)',
'operational_impact': 'Network Proxy Abuse, Internal Network '
'Scanning, Persistent Access via Service '
'Worker and Push Notifications',
'payment_information_risk': 'High (Cryptocurrency Wallet Theft)',
'systems_affected': 'User Browsers (PWA), Android Devices (APK)'},
'initial_access_broker': {'backdoors_established': 'Malicious PWA, Android '
'APK',
'entry_point': 'Fake Google Security Page '
'(google-prism[.]com)',
'high_value_targets': 'Users with Cryptocurrency '
'Wallets, OTP-Dependent '
'Accounts'},
'lessons_learned': 'Phishing campaigns are increasingly leveraging trusted '
'browser features (e.g., PWAs) and social engineering to '
'bypass security measures. Users should be cautious of '
'unsolicited security prompts and verify the legitimacy of '
'security tools via official channels (e.g., '
'myaccount.google.com).',
'motivation': 'Financial Gain (Cryptocurrency Theft), Data Exfiltration, '
'Proxy Traffic Routing',
'post_incident_analysis': {'corrective_actions': 'User Education, Permission '
'Restrictions, Enhanced '
'Monitoring for Suspicious '
'PWAs/Apps',
'root_causes': 'Social Engineering, Abuse of '
'Browser and Android Permissions, '
'Lack of User Awareness'},
'recommendations': ['Educate users on recognizing phishing attempts and '
'verifying security prompts.',
'Restrict installation of PWAs and APKs from untrusted '
'sources.',
'Monitor for unusual permissions granted to PWAs or apps '
'(e.g., clipboard access, notification control).',
'Implement multi-factor authentication (MFA) that does '
'not rely solely on SMS-based OTPs.',
'Regularly audit installed apps and PWAs for suspicious '
'behavior.'],
'references': [{'source': 'Malwarebytes'}],
'response': {'remediation_measures': 'Removal Instructions Provided by '
'Malwarebytes',
'third_party_assistance': 'Malwarebytes (Research and Removal '
'Instructions)'},
'title': 'Sophisticated Phishing Campaign Exploits Fake Google Security Page '
'to Steal OTPs and Cryptocurrency',
'type': 'Phishing',
'vulnerability_exploited': 'WebOTP API, Clipboard Access, Notification '
'Control, PWA Installation Permissions, Android '
'Permissions Abuse'}