Sabato 04 Luglio 2026 11:16:16 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContatti
ItalianoEnglishArabic

Security Awareness & Social Engineering

Invisible Intruders: How a Fake Google Security App Hijacks Your Browser and Identity

Published: 03 March 2026 08:34Category: Security Awareness & Social EngineeringAuthor: CRYSTALPROXY

Subtitle: Sophisticated phishing scam disguises itself as Google Security, weaponizing your browser and phone to steal credentials, crypto wallets, and more.

The line between trusted web services and cyber threats just blurred in a dangerous new way. In a chilling twist on classic phishing, attackers are now using a fake Google Account security page to trick users into installing a progressive web app (PWA) that transforms their browser-and even their phones-into digital spies. What looks like a routine security check is, in fact, a gateway for malware that can intercept your passwords, hijack your cryptocurrency, and turn your device into an unwitting accomplice in further attacks.

The Anatomy of a Deceptive Attack

This campaign begins with a convincingly crafted fake Google security page, complete with a four-step process urging users to strengthen their account protection. The catch? Users are coaxed into granting risky permissions and installing a PWA directly from the browser. Unlike traditional malware, these apps appear as standalone programs without browser controls, making them look and feel official.

Once installed, the malicious PWA gets to work: it can exfiltrate your contacts, track your location in real time, and snatch any sensitive data you copy to your clipboard-including passwords and crypto wallet addresses. Even more worrying, the app turns your browser into a proxy, letting attackers send traffic through your device as if they were on your network. This not only hides the attacker’s true location but also enables internal network reconnaissance-an ideal foothold for further exploitation.

The attackers cleverly leverage browser APIs, like WebOTP, to intercept one-time passwords sent via SMS, and use push notifications to lure victims back into opening the infected app, maximizing the window for data theft.

Android Users: Double Jeopardy

For those who follow through with all “security” steps, the scam escalates: a companion Android APK is offered, masquerading as a critical update. This app demands sweeping permissions-access to SMS, calls, microphone, contacts, and device administration. Under the hood, it includes a custom keyboard for keylogging, a notification listener, and services designed for persistent control and credential theft. Uninstalling it is intentionally difficult, as the app registers as a device administrator and restarts itself if terminated.

Exploiting Trust, Not Technology

Perhaps most insidious, the attackers don’t exploit bugs or vulnerabilities. Instead, they rely on social engineering-manipulating users into handing over the keys to their own digital kingdom. The malware’s reliance on browser features means it can operate under the radar in Chrome and Edge, though it’s less effective on Firefox and Safari. Even without the Android app installed, the PWA alone can inflict serious damage.

Google never asks users to install apps or grant permissions via pop-ups for security purposes. All legitimate account protections are managed through myaccount.google.com.

Conclusion

This attack marks a new frontier in phishing-one where trust in familiar brands and interfaces is weaponized against us. As browser-based apps become more powerful, so too do the tools of cybercriminals. The best defense remains vigilance: question unexpected security prompts, verify web addresses, and remember that true security never comes via a pop-up.

WIKICROOK

  • Progressive Web App (PWA): A progressive web app (PWA) is a secure web application that behaves like a native app, offering offline access and installation on devices.
  • Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
  • WebOTP API: WebOTP API allows web apps to automatically read one-time passcodes sent via SMS, simplifying and speeding up user authentication.
  • Device Administrator: Device administrator is an Android permission that lets apps control key security settings, used for management but sometimes exploited by malicious software.
  • Clipboard Exfiltration: Clipboard exfiltration is when attackers steal sensitive data users copy and paste, like passwords or wallet addresses, from a device’s clipboard.