Bitcoin Forum
March 03, 2026, 01:41:08 PM *
News: Latest Bitcoin Core release: 30.2 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Other > Beginners & Help > Fake Google Security PWA Used to Capture Login Details and targets crypto wallet
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Fake Google Security PWA Used to Capture Login Details and targets crypto wallet  (Read 14 times)
coinrifft (OP)
Full Member
***
Offline Offline

Activity: 126
Merit: 104


View Profile
Today at 11:06:16 AM
 #1
According to Malwarebytes, there is this phishing campaign that uses a fake Google Account security page to deliver web based app that is capable, among other things, harvesting our cryptocurrency wallet. Also, it can intercept SMS verification codes via the WebOTP API on supported browsers



And it has what they call four step attacks,

Quote
*The user is prompted to “install” the security tool as a PWA.

*The site requests notification permissions, framed as enabling “security alerts.” Web push notifications give the attacker a persistent communication channel that can function even when the PWA is not actively open.

*The site uses the Contact Picker API—a legitimate browser feature designed for sharing contacts with web apps. The victim is prompted to select contacts for sharing. After selection, the interface displays confirmation text such as “X contacts protected,” framing the step as a security check. However, network analysis shows the selected contacts are sent directly to the attacker-controlled domain.

*The site requests GPS location under the guise of “verifying your identity from a trusted location.” Latitude, longitude, altitude, heading, and speed are all exfiltrated.

So they are leveraging PWA (Progressive Web App) + social engineering attack.

One such website that security researches have discovered is:

Code:
google-prism[.]com

So you might want to review the permissions of your browsers and here is what they recommended.

For Android:

  • Check your installed apps and home screen for a “Security Check” PWA. On Android, go to Settings > Apps and look for it. Uninstall it immediately.
  • Check for an app called “System Service” with the package name com.device.sync. If device administrator access is enabled, revoke it first under Settings > Security > Device admin apps before uninstalling.
  • Change passwords for any accounts where you used two-factor authentication via SMS or copied passwords to the clipboard while the malware was present.
  • Revoke notification permissions for any web apps you do not recognise. In Chrome on Android: Settings > Site Settings > Notifications.
  • Review your autofill settings. If an unknown autofill service was enabled, remove it under Settings > Passwords & autofill > Autofill service.
  • If the native APK was installed, consider a factory reset. The malware registers as a device administrator and implements multiple persistence mechanisms. If removal fails or device administrator privileges cannot be revoked, a factory reset may be necessary.
  • Run a scan with reputable mobile security software to detect any remaining components.

On Windows (Chrome, Edge, and other Chromium browsers)

  • Uninstall the PWA. In Chrome, click the three-dot menu and go to Installed apps (or visit chrome://apps). Right-click the “Security Check” app and select Remove. In Edge, go to edge://apps and do the same.
  • Unregister the service worker. Navigate to chrome://serviceworker-internals (or edge://serviceworker-internals) and look for any entry associated with the malicious domain. Click Unregister to remove it. If the PWA remains installed or push permissions are still granted, the service worker may continue to receive push-triggered events in the background.
  • Revoke notification permissions. Go to chrome://settings/content/notifications (or edge://settings/content/notifications) and remove any site you do not recognise from the Allowed list.
  • Clear site data for the malicious origin. In Chrome: Settings > Privacy and security > Site settings > View permissions and data stored across sites. Search for the domain and click Delete data. This removes cached files, the offline exfiltration queue, and any stored configuration.
  • Check for suspicious browser extensions. While this particular toolkit does not use an extension, victims who followed attacker instructions may have installed additional components. Review chrome://extensions or edge://extensions and remove anything unfamiliar.
  • Reset browser sync if clipboard or password data may have been compromised. If you sync passwords across devices, change your Google or Microsoft account password first, then review saved passwords for any you did not create.
  • Run a full system scan. While this threat is primarily browser-resident on Windows, the remote eval capability means additional payloads could have been delivered during the compromise window.

On Firefox (desktop and Android)

Quote
Firefox does not support PWA installation, the Contact Picker API, WebOTP, or Background Sync so much of this toolkit simply will not function. However, Firefox does support service workers and push notifications, meaning the notification-based C2 channel could still operate if a victim granted permissions. Clipboard monitoring would depend on page execution context and user interaction events, and is not guaranteed in background scenarios on Firefox.

  • Revoke notification permissions. Go to Settings > Privacy & Security > Permissions > Notifications > Settings, and remove any unfamiliar entries.
  • Remove the service worker. Navigate to about:serviceworkers and click Unregister next to any entry you do not recognise.
  • Clear site data. Go to Settings > Privacy & Security > Cookies and Site Data > Manage Data, search for the domain, and remove it. This wipes cached content and any queued exfiltration data.
  • On Firefox for Android, also check that about:config is not accessible and review any home screen shortcuts that may have been added manually. Firefox on Android does allow “Add to Home screen” even without full PWA support.

On Safari (macOS and iOS)

Quote
Safari on iOS 16.4 and later supports PWA installation (“Add to Home Screen”) and push notifications, so the core phishing flow and notification-based C2 channel can work. However, Safari does not support the Contact Picker API, WebOTP, or Background Sync, which limits the toolkit’s passive surveillance capabilities.

  • Remove the PWA from your home screen. Long-press the Security Check icon and tap Remove App (or Delete Bookmark on older iOS versions).
  • Revoke notification permissions. On iOS: Settings > Safari > Notifications (or Settings > Notifications, and look for the PWA by name). On macOS: System Settings > Notifications > Safari.
  • Clear website data. On iOS: Settings > Safari > Advanced > Website Data, search for the domain, and delete it. On macOS: Safari > Settings > Privacy > Manage Website Data.
  • On macOS, also check Safari > Settings > Extensions for anything unfamiliar, and review any Login Items under System Settings > General > Login Items & Extensions.

https://www.malwarebytes.com/blog/privacy/2026/02/inside-a-fake-google-security-check-that-becomes-a-browser-rat

So just be careful as you might encounter this and you don't want to fall victim to it. Don't just trust but verify.
<<Buy Bitcoin>>
Pages: [1]
  Print  
Bitcoin Forum > Other > Beginners & Help > Fake Google Security PWA Used to Capture Login Details and targets crypto wallet
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!