Fake Google Account security page PWA phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A phishing campaign is using a fake Google Account security page and a Progressive Web App (PWA) to steal one-time passcodes, harvest cryptocurrency wallet addresses, and relay attacker traffic through victims’ browsers. The operation matters because it turns the browser into an attack platform for credential theft, session abuse, and network proxying. A companion Android APK extends the same operation with broader permission abuse and persistence.
Related Happenings
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/Service
H score11
First: 03.07.2026 12:35
Last: 03.07.2026 12:35
Sources 1
About this happening:
**Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/ServiceAbout this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Google Gemini on Android notification-injection bypass using Fake Context Alignment
Technical Analysis
H score16
First: 03.06.2026 22:11
Last: 03.06.2026 22:11
Sources 1
About this happening:
Researchers found a **notification-based prompt-injection bypass** in **Google Gemini on Android** that could turn hostile notification text into **unauthorized assistant actions*...
Google Gemini on Android notification-injection bypass using Fake Context Alignment
Technical AnalysisAbout this happening: Researchers found a **notification-based prompt-injection bypass** in **Google Gemini on Android** that could turn hostile notification text into **unauthorized assistant actions*...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/Service
H score20
First: 03.06.2026 12:02
Last: 03.06.2026 12:02
Sources 1
About this happening:
**Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/ServiceAbout this happening: **Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Openew[.]app cloaked malware download portal
Malware Activity
H score26
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
About this happening:
The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...
Openew[.]app cloaked malware download portal
Malware ActivityAbout this happening: The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...
Timeline
-
02.03.2026 22:23 2 articles · 4mo ago
Fake Google Account security page PWA phishing campaign disclosed
Initial DisclosureA phishing campaign targeting users uses a fake Google Account security page, a malicious Progressive Web App (PWA), and a companion Android APK to steal one-time passcodes, harvest cryptocurrency wallet addresses, exfiltrate contacts, collect real-time GPS data and clipboard contents, proxy attacker traffic through victims’ browsers, and persist through browser notifications and Android device-admin abuse.
Show sources
- Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23
- Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23