Just One Click 'Install': How a Fake Google Page Steals Both Passwords and MFA Codes

Overview

Amid increasingly sophisticated cyberattacks, a new phishing campaign has emerged, highlighting a notable shift in methods used to steal user accounts. Instead of exploiting traditional software vulnerabilities, attackers are leveraging legitimate features of modern browsers—particularly Progressive Web Apps (PWA)—to create highly convincing phishing scenarios. This campaign impersonates the "Google Security Check" page, preying on fears of account breaches. Users are prompted to install a web app in the form of a PWA under the guise of "security verification." However, once installed, this app can function as an intermediary platform to collect login credentials, multi-factor authentication codes (MFA/OTP), and other sensitive data.

Progressive Web App (PWA)

Introduction to PWA

Progressive Web App (PWA) is a web application model that allows websites to function like native apps (apps installed on a device).

PWA combines:

• HTML5 + CSS + JavaScript

• Service Workers

• Web App Manifest

• Cache API

One point to note is the technical structure of a PWA in the JSON file when declared:

• Application name

• Icon

• Background color

• Display mode (standalone, fullscreen)

When in standalone mode, a PWA will not display the address bar and will resemble a native app. This is the key factor that attackers will exploit.

Why is PWA dangerous in phishing?

No URL bar

• When opening a PWA in standalone mode:

  • No domain visible

  • Cannot check SSL certificate

  • No HTTPS indicator

• This makes the fake page look exactly like the real interface.

Feeling "installed"

• User psychology:

  • "App installed" = "Trusted application"

  • No longer suspicious like a regular website

Difficult for the average user to detect

• Does not appear in the traditional app list

• Users don't know how to uninstall

• No clear warnings

Details of the campaign

As mentioned, in this campaign, the attacker will aim to steal Google login information, collect OTP/MFA codes in real time, maintain account access, and potentially use the victim as an intermediary proxy. The first stage is distribution, where the attacker will send:

• Fake security alert emails.

• SMS messages.

• Malicious advertisements.

• Redirects from infected websites.

The content often carries an urgent tone, such as "Your Google Account has been compromised," to exploit the user's fear. The victim will then access a malicious, fake domain with:

• Interface identical to Google Security Check

• Includes logo, layout, and authentic-looking CSS

This website will display "Install Google Security App to verify your account." This site uses:

• manifest.json

• Service Worker

• Display mode:standalone

After clicking "Install":

• PWA added to desktop/home screen

• No longer displays URL

• Looks like a legitimate app

In the next stage, the process of collecting credentials begins. Here, the PWA will display: Email field and Password field. All information will be sent directly to the attacker's server or transferred via WebSocket. Every attack has mechanisms to bypass AV defenses, and this is no exception. The hacker group cleverly uses the credentials obtained in the previous step to attempt a login. Naturally, Google sends a real OTP to the victim, and the fake PWA is ready to display:

“Enter the verification code sent to your phone”

The attacker also skillfully exploits the WebOTP API. The PWA can:

• Listen for SMS OTP (under certain conditions).

• Or prompt the user to enter it manually.

OTP received:

• Sent in real-time to the attacker.

• Used immediately to complete the login.

After bypassing the MFA mechanism, the attacker will maintain access. Once logged in successfully, the attacker can:

• Add recovery email.

• Create app password.

• Add trusted device.

• Export session token.

Then the PWA continues to run in the background and performs:

• Maintain WebSocket connection.

• Send push notifications.

• Collect clipboard data.

• Act as an intermediary proxy.

At this point, the victim's browser is turned into an intermediary node. Finally, the attacker will deploy the ANDROID MALWARE "sync.apk".

If the victim installs it, the malicious Android app can:

• Read SMS

• Log keystrokes

• Access contacts

• Request Device Admin rights

At this point, the attacker:

• Has long-term control

• Can automatically steal OTP

Conclusion

The fake Google security alert campaign highlights a concerning reality: modern attacks no longer rely on technical vulnerabilities but on gaps in user awareness. The attacker doesn't need to break Google's security system. Instead, they trick users into voluntarily installing malicious apps, granting access, and providing OTP codes—all under the guise of "account protection." Exploiting Progressive Web Apps (PWA), WebOTP, and push notification mechanisms reveals a new trend in phishing:

• Not only steals passwords.

• But also bypasses MFA protection.

In the digital age, social engineering is becoming the most effective "weapon." A single careless click can turn a browser into a proxy for hackers, a phone into a controlled device, and a personal account into an entry point for deeper attacks.

Recommendation

1. Always verify the source of access.

• Only log in to your account at:

  • https://accounts.google.com

  • https://security.google.com

• Note:

  • Google does not require installing an app to check account security.

  • If you see an unfamiliar domain (e.g., google-xxx[.]com), leave immediately.

2. Do not install PWAs from unfamiliar sites.

• Progressive Web Apps (PWAs) can appear like real apps and lack an address bar, making it difficult to verify the URL.

• If a website asks you to click "Install App" to continue:

  • Cancel the action

  • Close the tab

  • Check the official URL again

• How to check and remove PWAs:

  Chrome (Desktop):

  • Go to chrome://apps

  • Remove any unfamiliar apps

  Android Chrome:

  • Go to Settings → Apps → find any unfamiliar app with a web icon → Uninstall

3. Do not grant excessive permissions to websites.

• Legitimate websites do not need:

  • Permissions to read the clipboard

  • Continuous GPS access

  • Access to contacts

  • Permission to send continuous spam notifications

• Check website permissions:

  • Chrome → Settings → Privacy & Security → Site Settings

  • Remove permissions for suspicious sites

4. Be cautious with OTP/MFA codes.

• Golden rule:

  • Do not enter OTP on pages accessed from unfamiliar links

  • Do not share OTP with anyone

  • If you're logging in and it's not you → change your password immediately

• Security Upgrade:

  • Use an Authenticator App instead of SMS

  • Use a Security Key (FIDO2) if possible

  • Enable alerts for unusual logins

5. Absolutely do not install APK files from websites.

• If a website asks you to download an .apk file:

  • Stop immediately

  • Do not enable "Allow unknown sources"

• On Android, check:

  • Settings → Security → Device admin apps

  • Remove admin rights from unfamiliar apps

IOCs

Hash

• 1fe2be4582c4cbce8013c3506bc8b46f850c23937a564d17e5e170d6f60d8c08

Domain

• google-prism[.]com

Reference

1. Inside a fake Google security check that becomes a browser RAT | Malwarebytes

2. Google: Fake Google Security site uses PWA app to steal credentials, MFA codes

3. Fake Google Security site uses PWA app to steal credentials, MFA codes