Full Report
A phishing campaign is using a fake Google Account security page to deliver a web-based app capable of stealing one-time passcodes, harvesting cryptocurrency wallet addresses, and proxying attacker traffic through victims' browsers. [...]
Analysis Summary
# Tool/Technique: Google-Prism PWA & Android RAT
## Overview
This campaign utilizes a sophisticated, multi-stage social engineering attack that leverages Progressive Web App (PWA) technology and a companion Android malware. The attack masquerades as a legitimate "Google Security" check to trick users into granting invasive browser permissions and installing an APK, ultimately allowing for MFA theft, data exfiltration, and network proxying.
## Technical Details
- **Type:** Malware (Browser-based PWA and Android RAT)
- **Platform:** Windows, macOS, Android (Primarily Chromium-based browsers)
- **Capabilities:** OTP Interception (WebOTP API), Proxying/Relaying traffic, Geo-location tracking, Clipboard theft, Internal port scanning.
- **First Seen:** Early 2026 (Per article date)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0003 - Persistence]**
- [T1176 - Browser Extensions/Web Add-ons] (PWA installation)
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder] (Android component)
- **[TA0006 - Credential Access]**
- [T1539 - Steal Web Session Cookie]
- [T1557 - Adversary-in-the-Middle]
- [T1606.001 - Forge Web Credentials: Web Content Stickers/OTP]
- **[TA0007 - Discovery]**
- [T1046 - Network Service Discovery] (Internal port scanning)
- [T1124 - System Time Discovery]
- **[TA0009 - Collection]**
- [T1115 - Clipboard Data]
- [T1123 - Audio Capture] (Android component)
- [T1417.002 - Input Capture: Keylogging]
- **[TA0011 - Command and Control]**
- [T1090 - Proxy] (WebSocket traffic relaying)
## Functionality
### Core Capabilities
- **PWA Installation:** Deploys a standalone windowed application that removes browser navigation bars to appear as native system software.
- **Credential & OTP Theft:** Uses the WebOTP API to automatically intercept SMS-based MFA codes.
- **Data Exfiltration:** Harvests clipboard contents (targeting crypto addresses), GPS location, and contact lists.
- **Heartbeat Mechanism:** Checks a `/api/heartbeat` endpoint every 30 seconds for new instructions.
### Advanced Features
- **Network Proxy/Relay:** Operates as an HTTP proxy through a WebSocket relay, allowing attackers to route their own traffic through the victim’s browser to bypass geo-fencing or IP-based security.
- **Internal Port Scanning:** Identifies live hosts and open services within the victim's local network.
- **Persistence via Service Workers:** Utilizes "Periodic Background Sync" to remain active and connected even after the main PWA window is closed.
- **Android Companion (APK):** A high-privilege RAT that utilizes Accessibility Services, a custom keyboard for keylogging, and registers as a Device Administrator to prevent uninstallation.
## Indicators of Compromise
- **File Names:** `Security Check`, `System Service`
- **Package Name:** `com.device.sync` (Android)
- **Network Indicators:**
- `google-prism[.]com`
- `google-prism[.]com/api/heartbeat`
- **Behavioral Indicators:**
- Browser requesting "Background Sync" and "Clipboard" permissions simultaneously.
- Unexpected `fetch` requests initiated by a browser Service Worker to internal IP ranges (e.g., 192.168.x.x).
## Associated Threat Actors
- **Unknown** (The techniques suggest a sophisticated financial or data-theft motivated group with expertise in web-standard abuse).
## Detection Methods
- **Signature-based:** Detect the `com.device.sync` package and specific PWA manifest files associated with the fake security domain.
- **Behavioral:**
- Monitor for PWA installations from non-standard or look-alike domains.
- Identify excessive WebOTP API calls in an unexpected application context.
- Detect WebSocket connections that relay high volumes of HTTP traffic.
## Mitigation Strategies
- **User Education:** Advise users that Google does not conduct security checks via PWAs or browser pop-ups; legitimate checks are performed at `myaccount.google.com`.
- **Policy Enforcement:** Use MDM or Group Policy to restrict PWA installations to an approved whitelist or disable PWA notifications for untrusted domains.
- **Android Security:** Enforce policies that block "Unknown Sources" installations and monitor for apps requesting "Accessibility Services" or "Device Administrator" privileges.
## Related Tools/Techniques
- **Browser-in-the-Browser (BitB) attacks**
- **Sokun/App-based Phishing**
- **EvilProxy / Phishlets** (Similar proxying concept)