Fake Google Security PWA Campaign Steals Credentials and MFA Codes

First reported

02.03.2026 22:23

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign uses a fake Google Account security page to deliver a Progressive Web App (PWA) that steals one-time passcodes, cryptocurrency wallet addresses, and proxies attacker traffic through victims’ browsers. The attack leverages PWA features and social engineering to deceive users into granting risky permissions and installing the malware. The campaign uses the domain google-prism[.]com and includes an optional Android APK for further device compromise.

Timeline

02.03.2026 22:23 1 articles · 2h ago

Fake Google Security PWA Campaign Steals Credentials and MFA Codes
A phishing campaign uses a fake Google Account security page to deliver a malicious PWA that steals one-time passcodes, cryptocurrency wallet addresses, and proxies attacker traffic through victims’ browsers. The PWA can exfiltrate contacts, real-time GPS data, and clipboard contents, and acts as a network proxy. The campaign includes an optional Android APK that requests 33 high-risk permissions for further device compromise.
Show sources

Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23
Open in new tab

Information Snippets

The campaign uses a fake Google Account security page to deliver a malicious PWA.
First reported: 02.03.2026 22:23

1 source, 1 article
Show sources
- Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23
The PWA can exfiltrate contacts, real-time GPS data, and clipboard contents.
First reported: 02.03.2026 22:23

1 source, 1 article
Show sources
- Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23
The PWA acts as a network proxy and internal port scanner, routing requests through the victim’s browser.
First reported: 02.03.2026 22:23

1 source, 1 article
Show sources
- Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23
The PWA uses the WebOTP API to intercept SMS verification codes.
First reported: 02.03.2026 22:23

1 source, 1 article
Show sources
- Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23
The campaign includes an optional Android APK that requests 33 high-risk permissions.
First reported: 02.03.2026 22:23

1 source, 1 article
Show sources
- Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23
The APK includes components for overlay-based attacks and credential phishing.
First reported: 02.03.2026 22:23

1 source, 1 article
Show sources
- Fake Google Security site uses PWA app to steal credentials, MFA codes — www.bleepingcomputer.com — 02.03.2026 22:23