A new phishing scam impersonating Google is tricking users into installing malware that can steal sensitive information and spy on their devices.
Security researchers have uncovered a phishing scam that masquerades as a Google security check, tricking individuals into installing malware designed to steal two-factor authentication (2FA) codes, track locations, and monitor clipboard data.
The fraudulent page presents itself as a legitimate Google security alert, claiming that users need to enhance their account protection. It guides visitors through a seemingly straightforward setup process aimed at bolstering their security and safeguarding their devices. However, those who follow the instructions may unwittingly install what appears to be a harmless security tool, which, in reality, is a malicious web application capable of spying on their devices.
According to security experts, this malicious app can capture login verification codes, monitor clipboard activity, track GPS location, and reroute internet traffic through the user’s browser. The most alarming aspect of this scam is that it does not exploit any software vulnerabilities; instead, it relies on social engineering to trick users into granting the necessary permissions. Once these permissions are granted, the user’s own browser can be manipulated to serve the attackers’ purposes without their knowledge.
Researchers at Malwarebytes, a cybersecurity firm, recently identified a phishing website that imitates Google’s account protection system. This site, operating under the domain google-prism[.]com, presents a convincing security page that prompts users to complete a brief verification process. Visitors are instructed to undertake a four-step setup to enhance their account security, which purportedly protects their devices from various threats.
During this process, users are asked to approve multiple permissions and install what is claimed to be a security tool. The application installed is actually a Progressive Web App (PWA), which runs through the browser but functions like a native application on a computer. It can open in its own window, send notifications, and perform tasks in the background.
Once installed, the malicious web app can gather contacts, read clipboard information, track GPS location data, and attempt to capture one-time login codes sent to users’ phones. These codes are commonly used for accounts that implement two-factor authentication.
Additionally, the fake security page may offer an Android companion app described as a “critical security update.” Researchers have noted that this app requests an alarming 33 permissions, including access to text messages, call logs, contacts, microphone recordings, and accessibility features. Such extensive permissions enable attackers to read messages, capture keystrokes, monitor notifications, and maintain control over various aspects of the device. Even if the Android app is not installed, the web app alone can still collect sensitive information and operate quietly through the user’s browser.
The effectiveness of this scam lies in its ability to mimic trusted sources. Many individuals expect security alerts from the services they utilize, particularly regarding the protection of their email or cloud accounts. Attackers exploit this trust by presenting the fake page as a beneficial security feature. When users approve the permissions and install the web app, they inadvertently grant attackers access to specific areas of their devices. One of the primary targets for these attackers is the capture of one-time passwords, which are essential for logging into accounts that require two-factor authentication.
If attackers successfully capture these codes while also knowing the user’s password, they may gain access to various accounts, including email, financial services, or cryptocurrency wallets. The malware’s capability to monitor clipboard activity is particularly concerning, as individuals often copy cryptocurrency wallet addresses before conducting transactions, making this information valuable to criminals.
Another feature of the malicious app allows attackers to route internet requests through the user’s browser, making it appear as though online activity originates from the user’s home network. The app can also send notifications that mimic security alerts or system warnings. When users click on these notifications, the app reopens, providing another opportunity to capture sensitive information such as login codes or clipboard data.
In response to inquiries about this phishing campaign, a Google spokesperson confirmed that several built-in security systems are in place to thwart threats like this before they can inflict harm. “We can confirm that Safe Browsing in Chrome warns any user who tries to visit this site,” the spokesperson stated. “Chrome also shows a confirmation dialog whenever anyone attempts to download an APK. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services.”
Google also indicated that its current monitoring shows no apps containing this malware are available on the Google Play Store. Even if malicious apps are installed from outside official stores, Google asserts that Android devices have an additional layer of protection. Google Play Protect can alert users or block apps known to exhibit malicious behavior, including those installed from third-party sources.
However, it is crucial to recognize that Google Play Protect may not be foolproof. Historically, it has not always been 100% effective in removing all known malware from Android devices. Therefore, experts recommend using robust antivirus software to detect malicious downloads, suspicious browser activity, and phishing attempts before they can cause significant damage. Such software acts as an early warning system, helping to block dangerous apps and websites before they can access your device or data.
To avoid falling victim to a suspicious “security check,” users should adopt a few simple habits to protect their accounts and devices. Google does not request the installation of security tools through pop-ups or unfamiliar websites. If a page claims that an account requires a security check, users should close the tab and navigate directly to Google’s official account page by typing the address manually. This approach prevents attackers from redirecting users to a fraudulent site.
Phishing pages often utilize domains that closely resemble those of legitimate companies. Attackers rely on users clicking quickly without scrutinizing the address bar. If the website address does not belong to an official Google domain, it should not be trusted. Even minor alterations in spelling can indicate a fake site designed to steal information.
If users have installed an app through a website and it opens like a standalone program, they should check their browser’s installed apps or extensions list. Removing any unfamiliar or unrecognized items immediately can prevent further information collection or command execution through the browser.
Researchers warn that the malicious Android app may appear under names such as “Security Check” or “System Service.” If users encounter unfamiliar apps with these names, they should review the permissions requested and remove them if they seem suspicious. Apps requesting extensive permissions, such as SMS access, accessibility features, and microphone control, should always be scrutinized.
Using a password manager can help create and store strong, unique passwords for every online account. If attackers obtain one password, they will not automatically gain access to other accounts. Password managers also help prevent users from entering credentials on fake sites, as they typically refuse to auto-fill on lookalike domains.
Two-factor authentication (2FA) adds an extra layer of security beyond passwords. Although this attack aims to capture SMS verification codes, many services allow the use of authenticator apps instead. These apps generate login codes directly on the user’s device, making it significantly more challenging for attackers to intercept them.
If users suspect they have interacted with a dubious security page, they should closely monitor their accounts in the following days for login alerts, password reset emails, or unfamiliar transactions. Prompt action in response to suspicious activity can help prevent attackers from gaining full control over accounts.
Scammers often gather personal information from data broker sites to craft convincing phishing messages. Utilizing a data removal service can assist in removing personal information from these databases, thereby reducing the amount of data criminals can exploit to impersonate companies or create targeted scams.
As attackers evolve their tactics, they are increasingly relying on convincing security messages to persuade individuals to install malicious tools themselves, rather than exploiting technical flaws. Given the reliance on familiar brands like Google for security decisions, it is essential to enhance safeguards against impersonation sites and improve the regulations surrounding the capabilities of installed web apps.
For more information on cybersecurity and to stay updated on potential threats, visit CyberGuy.com.