Disguised as a security check, this fake Google alert uses browser permissions to harvest contacts, location data, and more.
A website styled to resemble a Google Account security page is distributing what may be one of the most fully featured browser-based surveillance toolkits we have observed in the wild. Disguised as a routine security checkup, it walks victims through a four-step flow that grants the attacker push notification access, the device’s contact list, real-time GPS location, and clipboard contents—all without installing a traditional app.
For victims who follow every prompt, the site also delivers an Android companion package introducing a native implant that includes a custom keyboard (enabling keystroke capture), accessibility-based screen reading capabilities, and permissions consistent with call log access and microphone recording. The infrastructure uses a single command-and-control domain, google-prism[.]com. The domain is routed through Cloudflare’s content delivery network, a service widely used by both legitimate and malicious sites.
The attack begins with what appears to be a genuine Google Account security alert. It does not rely on an exploit or browser bug. It relies on you believing you are responding to Google. When installed as a PWA (a Progressive Web App, essentially a website that pins to the home screen and runs in its own window), the browser address bar disappears. The victim sees what looks and feels like a native Google app.
In testing, we were guided through four steps, each framed as a protective action. When the victim installs the PWA and grants permissions, two separate pieces of code go to work. Understanding which does what explains why closing the tab is not enough. The page script runs as long as the app is open. It attempts to read the clipboard on focus and visibility-change events, looking for one-time passwords and cryptocurrency wallet addresses.
It tries to intercept SMS verification codes via the WebOTP API on supported browsers, builds a detailed device fingerprint, and polls /api/heartbeat every 30 seconds, waiting for the operator to send commands. It sits underneath the page, handling push notifications, running background tasks embedded in push payloads, and queuing stolen data locally when the device goes offline, then flushing that queue the moment connectivity returns.
It includes handlers for background and periodic sync events, allowing it to wake and execute tasks where those features are supported and registered. Close the browser tab and the page script stops. Clipboard monitoring and SMS interception end immediately. But the service worker remains registered. If the victim granted notification permissions, the attacker can still wake it silently, push a new task, or trigger a data upload without reopening the app.
Perhaps the most concerning capability is the WebSocket relay. Once connected, the attacker can route arbitrary web requests through the victim’s browser as if they were browsing from the victim’s own network. The malware acts as an HTTP proxy, executing fetch requests with whatever method, headers, credentials, and body the attacker specifies, then returns the full response including headers.
The toolkit also includes a port scanner that sweeps internal network ranges (by default, all 254 addresses on the local subnet across ports 80, 443, and 8080) using a timing-based technique to identify live hosts all from within the browser sandbox. In addition, the attacker can execute arbitrary JavaScript on the victim’s device via a remote eval command sent over the WebSocket. The toolkit is engineered to tolerate poor connectivity.
When the device is offline, captured data—clipboard captures, location updates, intercepted OTPs—is queued in the browser’s Cache API, stored as individual entries under keys like /exfil/{timestamp}-{random}. When connectivity returns, a Background Sync event replays every queued item to the server. Each entry is deleted only after the server confirms receipt. On Chromium-based browsers, the service worker includes a handler for Periodic Background Sync under the tag c2-checkin, enabling scheduled wake-ups where the feature is supported and activated.
Combined with push-triggered heartbeats, this means the attacker can maintain contact with a compromised device for as long as the PWA remains installed, which could be weeks or months. For victims who follow every prompt, the web layer delivers a second payload: an Android APK disguised as a “critical security update.” The download page claims it is “Version 2.1.0 · 2.3 MB · Verified by Google.” The actual file is a 122 KB package named com.device.sync, labeled “System Service” in the app drawer.
The APK requests 33 Android permissions, including high-risk privileges such as SMS access, call log access, microphone access, contacts access, and accessibility service control. The web layer’s “Enable Autofill” screen is designed to guide the victim through turning on this malicious autofill service in Android settings. To enhance persistence, the APK registers as a device administrator (which can complicate uninstallation), sets a boot receiver to execute on startup, and schedules alarms intended to restart components if terminated.
The application includes components consistent with overlay-based UI capabilities, suggesting potential use for phishing or credential interception overlays. A FileProvider component is present, consistent with staged update delivery. Whether updates can be installed silently depends on device privilege level and policy configuration. This campaign shows how attackers can abuse legitimate browser features through social engineering rather than exploiting a vulnerability in Google’s systems.
Instead of using a web page merely to deliver a traditional executable, the operators turn the browser itself into a surveillance platform. The PWA layer alone—without any native installation—can harvest contacts, intercept one-time passwords, track GPS location, scan internal networks, and proxy traffic through the victim’s device. The Android APK extends those capabilities to keystroke capture, accessibility-based screen monitoring, and broader device-level surveillance through high-privilege permissions.
What makes this dangerous is that each permission request is presented as a security measure. Victims are responding to what appears to be a legitimate security alert. The social engineering is central to how the activity works. Google does not conduct security checkups through unsolicited pop-up pages. If you receive an unexpected “security alert” asking you to install software, enable notifications, or share contacts, close the page.
Legitimate account security tools are accessed directly through your Google Account at myaccount.google.com. Firefox does not support PWA installation, the Contact Picker API, WebOTP, or Background Sync so much of this toolkit simply will not function. However, Firefox does support service workers and push notifications, meaning the notification-based C2 channel could still operate if a victim granted permissions.
Clipboard monitoring would depend on page execution context and user interaction events, and is not guaranteed in background scenarios on Firefox. Safari on iOS 16.4 and later supports PWA installation (“Add to Home Screen”) and push notifications, so the core phishing flow and notification-based C2 channel can work. However, Safari does not support the Contact Picker API, WebOTP, or Background Sync, which limits the toolkit’s passive surveillance capabilities.
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Summary
This report covers the latest developments in android. The information presented highlights key changes and updates that are relevant to those following this topic.
Original Source: Malwarebytes.com | Author: Stefan Dasic | Published: February 27, 2026, 11:29 am
Leave a Reply
You must be logged in to post a comment.