Phishing disguised as Google security verification uses PWAs to steal OTP codes and convert the browser into proxy

The most worrying thing, according to researchers, is that this web service includes a WebSocket relay that allows you to run HTTP requests from the victim's browser with any method, headers and credentials that the attacker specifies, and return complete answers. In practice that turns the compromised browser into a criminal-controlled HTTP proxy, which can thus access the victim's internal network resources and scan ports, detecting internal devices and services as if the attacker himself was inside the network.

In addition to the PWA, some users are offered to install an APK for Android that allegedly extends the "protection" to contacts. This installer requests a lot of high-risk permissions - access to SMS, call records, microphone, contacts and accessibility service - and brings dangerous components: custom keyboard to capture pulses, list of notifications, service to intercept self-completed credentials and persistence mechanisms (registration as device manager, boot receiver, alarms to restart components). In other words, if the APK is installed, the possibility of a total take of the device grows significantly.

This attack does not exploit failures in the browser or the operating system; it exploits human psychology. By combining legitimate web functions with a credible appearance and a "security improvement" narrative, attackers get the user to voluntarily deliver the necessary permissions for data theft and lateral movement on the network. That is why common sense recommendations are so important: Google does not send security checks using pop-up windows that ask to install software outside its account panel; all official tools are managed from the user panel in myaccount.google.com.

If you think you might be affected, there are concrete and urgent steps that should be taken. In the browser, check the installed web applications and the exceptions of notifications and clipboards; in Chromium (Chrome, Edge) the PWAs appear in the application list and can be uninstalled from the browser settings. In macOS or iOS, remove any icon or direct access you do not remember to create. On Android, look for apps with suspicious names like "Security Check" and check if there is an application called "System Service" with package com.device.sync; if you have device administrator privileges, review them in Settings > Security > Device management applications before you uninstall it. Malharebytes offers precise steps for eradication in his report, which should be followed if you detect something similar: Malharebytes report.

As for long-term mitigation, it is advisable to replace SMS verification with software authenticators or physical keys, avoid installing APKS from sources outside Google Play, not accept permissions that you do not understand (especially access to SMS, notifications, accessibility or keyboard), keep the browser and system up-to-date and use recognized security solutions to scan the device. It should be noted that some browsers limit the scope of these techniques: in Firefox and Safari many attack capabilities are restricted, although push notifications can continue to work; therefore, changing the browser alone is not enough, but it reduces the risk.

Finally, if you drive cryptomonedas, act quickly: review linked addresses, consider moving funds to portfolios whose private key has not been at risk and enable additional security measures. If your Google password or other services may have been compromised, change the passwords from another secure device, check the login activity and consider revoking tokens and sessions from the account security panel on Google Security Checkup.

To better understand the technical parts used by the attackers (service workers, regular background synchronization, WebOTP, etc.), official guides and developer documentation are useful resources: the Service Workers API is described in MDN ( Service Worker API - MDN), the regular synchronization in the background MDN Periodic Background Sync and the WebOTP API in MDN WebOTP API. Knowing how these pieces work helps to identify when their use is legitimate and when they are not.

In short, the campaign that imitates a Google security control shows that the combination of powerful web technologies and a convincing presentation can be dangerous when combined with social engineering. The best defense remains the precaution: not installing apps from emerging windows, checking domains and sources, denying unnecessary permissions and using robust authentication methods. If you have doubts about a possible infection, ask for safety signature removal guides such as Malharebytes and, if necessary, ask for help from trusted professionals.

Recommended for further reading: Malharebytes' technical report on this incident ( Malharebytes), the coverage of specialized means such as BleepingComputer and the documentation of developers in MDN Web Docs.