Executive Summary
In March 2026, a sophisticated phishing campaign emerged, utilizing a counterfeit Google Account security page to deploy a malicious Progressive Web App (PWA). This app deceived users into granting permissions that enabled the theft of one-time passcodes, cryptocurrency wallet addresses, and other sensitive data. Additionally, the malware transformed victims' browsers into proxies for attacker traffic, facilitating further network exploitation. The attackers employed the domain google-prism[.]com to mimic legitimate Google services, leading users through a deceptive setup process that included installing the harmful PWA and, in some cases, a companion Android application. This incident underscores the evolving tactics of cybercriminals who exploit trusted platforms and social engineering to bypass traditional security measures. The use of PWAs in phishing attacks highlights the need for heightened vigilance and the adoption of advanced security protocols to protect against such sophisticated threats.
Why This Matters Now
The increasing sophistication of phishing attacks, exemplified by the use of Progressive Web Apps to bypass traditional security measures, underscores the urgent need for organizations to enhance their cybersecurity defenses and user education programs to mitigate such evolving threats.
Attack Path Analysis
The adversary initiated the attack by deploying a phishing campaign that directed users to a counterfeit Google Security page, leading them to install a malicious Progressive Web App (PWA). Upon installation, the PWA requested extensive permissions, enabling it to access sensitive data and functionalities on the victim's device. The malware then utilized the victim's browser as a proxy to scan internal networks and route attacker traffic, facilitating lateral movement within the network. To maintain control, the PWA established a command and control channel through periodic background synchronization and push notifications. Subsequently, the malware exfiltrated sensitive information, including contacts, GPS data, clipboard contents, and one-time passcodes. The attack culminated in the potential for further exploitation, such as financial fraud or unauthorized access to additional systems.
Kill Chain Progression
Initial Compromise
Description
The adversary launched a phishing campaign using a fake Google Security page to deceive users into installing a malicious Progressive Web App (PWA).
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Spearphishing Link
Malicious Link
Impersonation
Valid Accounts
Email Collection
Proxy
Input Capture: Keylogging
Exploitation for Client Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect against malicious software
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity risk-management measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
PWA-based infostealers targeting MFA codes and cryptocurrency wallets pose severe threats to financial authentication systems and customer asset protection.
Computer Software/Engineering
Progressive Web App exploitation demonstrates critical vulnerabilities in browser-based application security frameworks and WebOTP API implementations requiring immediate mitigation.
Telecommunications
SMS interception via WebOTP API and network proxy capabilities compromise telecom infrastructure integrity and customer communication security channels.
Government Administration
Internal network scanning and traffic proxying through compromised browsers creates significant risks for government network security and classified information protection.
Sources
- Fake Google Security site uses PWA app to steal credentials, MFA codeshttps://www.bleepingcomputer.com/news/security/fake-google-security-site-uses-pwa-app-to-steal-credentials-mfa-codes/Verified
- Inside a fake Google security check that becomes a browser RAThttps://www.malwarebytes.com/blog/privacy/2026/02/inside-a-fake-google-security-check-that-becomes-a-browser-ratVerified
- Threat actors abuse Google Apps Script in evasive phishing attackshttps://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-apps-script-in-evasive-phishing-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the malware's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have limited the malware's ability to communicate with command and control servers, reducing the effectiveness of the initial compromise.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely have constrained the malware's access to sensitive resources, limiting its ability to escalate privileges.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely have limited the malware's ability to move laterally, reducing the risk of widespread network compromise.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control may have constrained the malware's ability to maintain command and control channels, disrupting its operations.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely have limited the malware's ability to exfiltrate data, reducing the risk of data loss.
The implementation of CNSF controls would likely have reduced the overall impact of the attack by limiting the malware's reach and capabilities.
Impact at a Glance
Affected Business Functions
- User Account Security
- Multi-Factor Authentication
- Cryptocurrency Transactions
- Network Security
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of user credentials, multi-factor authentication codes, cryptocurrency wallet addresses, and personal contacts.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, mitigating data exfiltration risks.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual behaviors indicative of compromise.
- • Enhance user awareness training to recognize and avoid phishing attempts, reducing the likelihood of initial compromise.
- • Regularly review and restrict application permissions to the minimum necessary, limiting potential abuse by malicious software.
