- Cybercriminals are increasingly using mobile browsers
- The compromised WordPress sites lead to the installation of malicious PWAs
- Site owners and users can mitigate the threat
There is a growing trend in the attacks on the customer side, because cybercriminals are increasingly using mobile browsers to bypass traditional security checks.
This is in accordance with the last “attack report on the customer side Q2 2025”, published by C / Side security researchers. A “customer side” attack is a type of security violation that occurs on the user’s device (generally on its browser or mobile application), rather than on the server.
On the basis of in -depth research on the market (compromise domains, autonomous crawling, analysis of the scripts led by AI and behavioral examination of dependencies in third -party javascript), the report indicates that cybercriminals inject malicious code into service workers and the progressive logic of the web application (PWA) of popular WordPress themes.
Weaker sandboxing
Once a mobile user visits an infected site, the browser window is diverted using a full Iframe. The victim is then attracted by the installation of a false PWA, often disguised as APK on the theme of adults or a cryptographic application, hosted on rotary subdomains.
Mainly, applications are designed to persist on the device beyond the browser session and act as a long-term foot. However, they can also steal connection identification information (by connection pages or browser prompts), intercept cryptocurrency portfolio interactions and empty assets by injecting malicious scripts. In some cases, applications can also divert session tokens.
Criminals use different techniques to escape detection, including fingerprint and camouflage techniques that prevent the payload from being triggered in sand environments or automated scanners.
The mobile platform is more and more targeted because web browsers have a lower sandbox and limited visibility of the execution time, which makes them more vulnerable and sensitive to attacks. At the same time, C / Side indicates that users are more likely to trust the full screen prompts or to install suggested applications, without suspecting anything.
To mitigate the risk, there are things that developers and end users can do, says C / Side. Developers and site operators must monitor and secure third -party scripts, as it is a current delivery mechanism for useful malicious charges. C / Side also recommends visibility in real time in what the scripts run in the browser, rather than relying only on the protections on the server side.
Users, on the other hand, should be careful when installing progressive web applications from unknown sources, and should be skeptical about unexpected connection flows, especially those that seem to come from Google.
