Fake Google Account security page PWA phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A phishing campaign is using a fake Google Account security page and a Progressive Web App (PWA) to steal one-time passcodes, harvest cryptocurrency wallet addresses, and relay attacker traffic through victims’ browsers. The operation matters because it turns the browser into an attack platform for credential theft, session abuse, and network proxying. A companion Android APK extends the same operation with broader permission abuse and persistence.
Related Happenings
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/Service
First: 14.05.2026 16:30
Last: 14.05.2026 16:30
Sources 1
About this happening:
Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/ServiceAbout this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/Service
First: 13.05.2026 09:55
Last: 13.05.2026 09:55
Sources 1
About this happening:
**Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/ServiceAbout this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Apple and Google Messages beta rollout of cross-platform E2EE RCS
Security Tool/Service
First: 12.05.2026 16:00
Last: 12.05.2026 16:00
Sources 1
About this happening:
Apple and Google have begun a **beta rollout** of **end-to-end encrypted RCS** between **iPhone** and **Android** devices, materially reducing carrier and in-transit visibility fo...
Apple and Google Messages beta rollout of cross-platform E2EE RCS
Security Tool/ServiceAbout this happening: Apple and Google have begun a **beta rollout** of **end-to-end encrypted RCS** between **iPhone** and **Android** devices, materially reducing carrier and in-transit visibility fo...
Timeline
-
02.03.2026 22:23 2 articles · 2mo ago
Fake Google Account security page PWA phishing campaign disclosed
Initial DisclosureA phishing campaign targeting users uses a fake Google Account security page, a malicious Progressive Web App (PWA), and a companion Android APK to steal one-time passcodes, harvest cryptocurrency wallet addresses, exfiltrate contacts, collect real-time GPS data and clipboard contents, proxy attacker traffic through victims’ browsers, and persist through browser notifications and Android device-admin abuse.
Show sources
- Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23
- Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23