A Malwarebytes piece details a fake Google security check that escalates into a browser-based RAT, distributed as a Progressive Web App and designed to harvest broad data without installing a traditional app. In the four-step flow, victims are guided to install the security tool as a PWA, grant push notification permissions, share contacts via the Contact Picker API, and disclose GPS location, with the exfiltration of clipboard content and other data.
The attacker can then push commands through a WebSocket relay, turning the victim’s browser into an HTTP proxy to route traffic and scan internal networks, while the service worker handles background activity even if the tab is closed.
For those following the prompts, a native Android implant is delivered as an APK named com.device[.]sync, marketed as “critical security update” Version 2.1.0, with 33 permissions including SMS, call log, microphone, and keystroke capture capabilities; it registers as a device administrator and can restart components on startup.
The infrastructure uses the domain google-prism[.]com routed through Cloudflare, and a SHA-256 file hash 1fe2be4582c4cbce8013c3506bc8b46f850c23937a564d17e5e170d6f60d8c08 is listed as an IOC, with claims that Google does not conduct security checkups via unsolicited pages, according to Google.