Back
Technology

Phishing Campaign Exploits Fake Google Security Page and PWAs to Steal Data and Proxy Traffic

Generated on: Last updated: 1 sources
View source

Phishing Campaign Exploits PWAs and Google Impersonation for OTP and Crypto Theft

A sophisticated phishing campaign has been uncovered, utilizing a simulated Google Account security page to distribute a malicious Progressive Web App (PWA). This application is designed to steal one-time passcodes (OTPs), collect cryptocurrency wallet addresses, and route attacker traffic through victim browsers.

The attack leverages PWA features, which allow web applications to be installed from a website and appear as standalone applications in their own windows, along with cunning social engineering tactics.

The Deceptive Approach: PWA Installation and Social Engineering

The campaign artfully persuades users to grant necessary permissions under the guise of a security verification process. The domain google-prism[.]com is used, presenting itself as a legitimate Google security service to establish credibility.

The site outlines a deceptive four-step setup process, which involves granting elevated permissions and installing the malicious PWA. In some instances, the campaign further promotes a companion Android application, falsely claiming it will 'protect' contacts.

Malicious PWA Capabilities Unveiled

Cybersecurity firm Malwarebytes has reported the extensive capabilities of this malicious PWA. The PWA can exfiltrate sensitive data including contacts, real-time GPS data, and clipboard contents.

Beyond data theft, it possesses advanced functionalities, operating as a network proxy and internal port scanner. This enables attackers to route requests through the victim’s browser and identify active hosts on the local network. The website also demands permissions for push notifications, allowing the attacker to send alerts or trigger further data exfiltration. Crucially, the WebOTP API is utilized to intercept SMS verification codes, with the application checking for new commands every 30 seconds to maintain control.

Core Objectives and Technical Infrastructure

Malwarebytes emphasizes that the primary objectives of this campaign include the theft of one-time passwords and cryptocurrency wallet addresses, alongside the creation of a detailed device fingerprint.

The PWA's internal architecture is robust, featuring a service worker that manages push notifications, executes tasks from attacker-provided payloads, and prepares stolen data for exfiltration.

A significant component is a WebSocket relay, which enables attackers to direct web requests through the victim’s network, acting as an HTTP proxy.

The inclusion of a Periodic Background Sync handler ensures persistent connections to compromised devices, as long as the malicious PWA remains installed.

The Treacherous Android Companion App

For users who proceed to activate all 'account security features,' an Android Package Kit (APK) file is offered. This APK falsely claims to extend protection to contact lists and is presented as a 'critical security update' verified by Google.

This malicious APK aggressively requests 33 permissions, encompassing access to SMS, call logs, microphone, contacts, and accessibility services. These broad permissions are designed to facilitate extensive data theft, device compromise, and ultimately, financial fraud.

APK Mechanisms: Data Theft and Persistence

The malicious APK incorporates components such as a custom keyboard for keystroke capture, a notification listener for incoming notifications, and a service designed to intercept automatically filled credentials.

To ensure long-term persistence on the compromised device, the APK registers itself as a device administrator, sets a boot receiver to execute upon startup, and schedules alarms to restart its components if they are terminated. Malwarebytes also identified components within the APK that could be utilized for overlay-based attacks, indicating a potential for credential phishing within other legitimate applications.

Exploiting Trust, Not Vulnerabilities

The campaign cleverly leverages legitimate browser features and sophisticated social engineering tactics, thereby bypassing the need for exploit vulnerabilities in software.

Malwarebytes warns that even without the installation of the companion Android APK, the web application alone is highly dangerous. It can collect contacts, intercept OTPs, track location, scan internal networks, and proxy traffic.

Google advises that it does not conduct security checks through web page pop-ups or request software installations for enhanced protection; all legitimate security tools are available at myaccount.google.com.

Recommendations for Users

Malwarebytes strongly recommends that Android users remove any 'Security Check' app or a 'System Service' app with the package name com.device.sync after revoking its device administrator access.

Detailed removal steps for the malicious web app have also been provided for popular Chromium-based browsers (Google Chrome, Microsoft Edge) and Safari. It is noted that while many malicious app capabilities are restricted on Firefox and Safari, push notifications from the compromised PWA can still remain functional.