- Attackers abuse Progressive Web Apps (PWA) on Android
- Victims lured via phishing site google-prism[dot]com in installing malicious PWAs
- PWA harvests clipboard, crypto wallets, OTPs, GPS, etc.
Threat actors have started turning to Progressive Web Apps (PWAs) to run their dirty bidding on Android, stealing login credentials, cryptocurrency wallet data, GPS information, and more, experts have warned.
Security researchers at Malwarebytes recently detailed one such campaign they spotted in the wild, starting with a phishing email, luring people to a fake Google site google-prism[dot]com.
Under the guise of enhanced security, victims are subjected to a four-step “security” check that includes installing a malicious PWA.
Collect the data
For those unfamiliar with PWAs, they are websites that can be installed and run like regular apps on the device, but run through the web browser.
Once installed, the PWA requests permissions to send notifications, access clipboard data and other browser features, and configures a service worker to enable push notifications, background tasks and data staging.
At this point, the malware starts collecting data every time the app is opened. Clipboard contents, cryptocurrency wallet addresses, one-time passwords via WebOTP API, contacts, GPS data and device fingerprint details are all collected. But since the information can only be collected when the app is open, the PWA will also start sending push notifications to the victim.
The PWA would also establish WebSocket-based HTTP relay and proxy capability, so attackers can route web requests, scan internal networks, and even access local resources.
In some cases, Malwarebytes said, the victim is also encouraged to download an “add-on app” presented as a “critical security update” that requests expanded permissions and registers as the device administrator.
This app, obviously aimed at the more gullible, allows for deeper compromises, including SMS interception, keystroke capture via a custom keyboard, notification monitoring, credential theft, and long-term persistence.
If by chance you have installed such an app, you can remove it by looking for a “Security Check” entry in the list of installed apps. If your device has an app called “System Service” with a package name of com.device.sync and it has administrator access, remove access by going to Settings – Security – Device Admin Apps and then uninstall it.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
