A sophisticated phishing campaign is tricking users into installing malware disguised as a Google security tool. The fake page-hosted on domains like google-prism.com-mimics official Google account protection prompts and walks victims through a four-step “security setup.”
Instead of enhancing security, the process installs a malicious Progressive Web App (PWA). Once approved, this app runs in its own browser window and gains access to clipboard contents, GPS location, contacts, and one-time login codes used in two-factor authentication.
Security researchers at Malwarebytes warn the PWA can silently route internet traffic through the victim’s device, making malicious activity appear to originate from their network. A companion Android app-labeled “Security Check” or “System Service”-requests 33 permissions, including SMS, call logs, microphone, and accessibility features, enabling full device surveillance.
Google confirmed Chrome’s Safe Browsing blocks the known phishing domain, and Google Play Protect guards Android devices. However, experts caution these protections aren’t foolproof-especially for apps installed outside the Play Store.
Users are urged to never install security tools from pop-ups or unfamiliar sites, verify URLs meticulously, and routinely audit browser-installed PWAs and Android apps. Enabling authenticator-based 2FA instead of SMS adds critical defense against stolen verification codes.