Inside a fake Google security check that becomes a browser RAT

   February 27, 2026  Posted in MalwareBytes
Share: XFacebookPinterestRedditVKDiggLinkedinMix


A website styled to resemble a Google Account security page is distributing what may be one of the most fully featured browser-based surveillance toolkits we have observed in the wild.

Disguised as a routine security checkup, it walks victims through a four-step flow that grants the attacker push notification access, the device’s contact list, real-time GPS location, and clipboard contents—all without installing a traditional app.

For victims who follow every prompt, the site also delivers an Android companion package introduces a native implant that includes a custom keyboard (enabling keystroke capture), accessibility-based screen reading capabilities, and permissions consistent with call log access and microphone recording.

The infrastructure uses a single command-and-control domain, google-prism[.]com. The domain is routed through Cloudflare’s content delivery network, a service widely used by both legitimate and malicious sites.

A security page without an address bar

The attack begins with what appears to be a genuine Google Account security alert. It does not rely on an exploit or browser bug. It relies on you believing you are responding to Google.

When installed as a PWA (a Progressive Web App, essentially a website that pins to the home screen and runs in its own window), the browser address bar disappears. The victim sees what looks and feels like a native Google app.

In testing, we were guided through four steps, each framed as a protective action.

  • The user is prompted to “install” the security tool as a PWA.
  • The site requests notification permissions, framed as enabling “security alerts.” Web push notifications give the attacker a persistent communication channel that can function even when the PWA is not actively open.
  • The site uses the Contact Picker API—a legitimate browser feature designed for sharing contacts with web apps. The victim is prompted to select contacts for sharing. After selection, the interface displays confirmation text such as “X contacts protected,” framing the step as a security check. However, network analysis shows the selected contacts are sent directly to the attacker-controlled domain.
  • The site requests GPS location under the guise of “verifying your identity from a trusted location.” Latitude, longitude, altitude, heading, and speed are all exfiltrated.

What happens after you close the tab

When the victim installs the PWA and grants permissions, two separate pieces of code go to work. Understanding which does what explains why closing the tab is not enough.

The page script runs as long as the app is open. It attempts to read the clipboard on focus and visibility-change events, looking for one-time passwords and cryptocurrency wallet addresses. It tries to intercept SMS verification codes via the WebOTP API on supported browsers, builds a detailed device fingerprint, and polls /api/heartbeat every 30 seconds, waiting for the operator to send commands.

The service worker is the part that survives if you close the tab.

It sits underneath the page, handling push notifications, running background tasks embedded in push payloads, and queuing stolen data locally when the device goes offline, then flushing that queue the moment connectivity returns. It includes handlers for background and periodic sync events, allowing it to wake and execute tasks where those features are supported and registered.

Close the browser tab and the page script stops. Clipboard monitoring and SMS interception end immediately.

But the service worker remains registered. If the victim granted notification permissions, the attacker can still wake it silently, push a new task, or trigger a data upload without reopening the app.

And if the victim ever opens it again, collection resumes instantly.

Your browser, their proxy

Perhaps the most concerning capability is the WebSocket relay. Once connected, the attacker can route arbitrary web requests through the victim’s browser as if they were browsing from the victim’s own network.

The malware acts as an HTTP proxy, executing fetch requests with whatever method, headers, credentials, and body the attacker specifies, then returns the full response including headers.

This means:

  • If the victim is on a corporate network, internal resources could become reachable
  • IP-based access controls can be bypassed
  • The attacker’s traffic appears to originate from the victim’s residential IP address

The toolkit also includes a port scanner that sweeps internal network ranges (by default, all 254 addresses on the local subnet across ports 80, 443, and 8080) using a timing-based technique to identify live hosts all from within the browser sandbox.

In addition, the attacker can execute arbitrary JavaScript on the victim’s device via a remote eval command sent over the WebSocket.

Stolen data never disappears

The toolkit is engineered to tolerate poor connectivity. When the device is offline, captured data—clipboard captures, location updates, intercepted OTPs—is queued in the browser’s Cache API, stored as individual entries under keys like /exfil/{timestamp}-{random}.

When connectivity returns, a Background Sync event replays every queued item to the server. Each entry is deleted only after the server confirms receipt.

On Chromium-based browsers, the service worker includes a handler for Periodic Background Sync under the tag c2-checkin, enabling scheduled wake-ups where the feature is supported and activated. Combined with push-triggered heartbeats, this means the attacker can maintain contact with a compromised device for as long as the PWA remains installed, which could be weeks or months.

When the browser isn’t enough: the native implant

For victims who follow every prompt, the web layer delivers a second payload: an Android APK disguised as a “critical security update.”

The download page claims it is “Version 2.1.0 · 2.3 MB · Verified by Google.”

The actual file is a 122 KB package named com.device.sync, labeled “System Service” in the app drawer.

The APK requests 33 Android permissions, including high-risk privileges such as SMS access, call log access, microphone access, contacts access, and accessibility service control.

It includes:

  • A custom keyboard capable of capturing keystrokes
  • A notification listener that can read incoming notifications, including potential two-factor codes
  • An accessibility service that can observe screen content and perform actions in other apps
  • An autofill service positioned to intercept credential fill requests

The web layer’s “Enable Autofill” screen is designed to guide the victim through turning on this malicious autofill service in Android settings.

To enhance persistence, the APK registers as a device administrator (which can complicate uninstallation), sets a boot receiver to execute on startup, and schedules alarms intended to restart components if terminated. The application includes components consistent with overlay-based UI capabilities, suggesting potential use for phishing or credential interception overlays. A FileProvider component is present, consistent with staged update delivery. Whether updates can be installed silently depends on device privilege level and policy configuration.

What to do if you may have been affected

This campaign shows how attackers can abuse legitimate browser features through social engineering rather than exploiting a vulnerability in Google’s systems.

Instead of using a web page merely to deliver a traditional executable, the operators turn the browser itself into a surveillance platform. The PWA layer alone—without any native installation—can harvest contacts, intercept one-time passwords, track GPS location, scan internal networks, and proxy traffic through the victim’s device. The Android APK extends those capabilities to keystroke capture, accessibility-based screen monitoring, and broader device-level surveillance through high-privilege permissions.

What makes this dangerous is that each permission request is presented as a security measure. Victims are not bypassing warnings; they are responding to what appears to be a legitimate security alert. The social engineering is central to how the activity works.

Google does not conduct security checkups through unsolicited pop-up pages. If you receive an unexpected “security alert” asking you to install software, enable notifications, or share contacts, close the page. Legitimate account security tools are accessed directly through your Google Account at myaccount.google.com.

Follow the steps below to review permissions and remove the malicious site.

On Android

  • Check your installed apps and home screen for a “Security Check” PWA. On Android, go to Settings > Apps and look for it. Uninstall it immediately.
  • Check for an app called “System Service” with the package name com.device.sync. If device administrator access is enabled, revoke it first under Settings > Security > Device admin apps before uninstalling.
  • Change passwords for any accounts where you used two-factor authentication via SMS or copied passwords to the clipboard while the malware was present.
  • Revoke notification permissions for any web apps you do not recognise. In Chrome on Android: Settings > Site Settings > Notifications.
  • Review your autofill settings. If an unknown autofill service was enabled, remove it under Settings > Passwords & autofill > Autofill service.
  • If the native APK was installed, consider a factory reset. The malware registers as a device administrator and implements multiple persistence mechanisms. If removal fails or device administrator privileges cannot be revoked, a factory reset may be necessary.
  • Run a scan with reputable mobile security software to detect any remaining components.

On Windows (Chrome, Edge, and other Chromium browsers)

  • Uninstall the PWA. In Chrome, click the three-dot menu and go to Installed apps (or visit chrome://apps). Right-click the “Security Check” app and select Remove. In Edge, go to edge://apps and do the same.
  • Unregister the service worker. Navigate to chrome://serviceworker-internals (or edge://serviceworker-internals) and look for any entry associated with the malicious domain. Click Unregister to remove it. If the PWA remains installed or push permissions are still granted, the service worker may continue to receive push-triggered events in the background.
  • Revoke notification permissions. Go to chrome://settings/content/notifications (or edge://settings/content/notifications) and remove any site you do not recognise from the Allowed list.
  • Clear site data for the malicious origin. In Chrome: Settings > Privacy and security > Site settings > View permissions and data stored across sites. Search for the domain and click Delete data. This removes cached files, the offline exfiltration queue, and any stored configuration.
  • Check for suspicious browser extensions. While this particular toolkit does not use an extension, victims who followed attacker instructions may have installed additional components. Review chrome://extensions or edge://extensions and remove anything unfamiliar.
  • Reset browser sync if clipboard or password data may have been compromised. If you sync passwords across devices, change your Google or Microsoft account password first, then review saved passwords for any you did not create.
  • Run a full system scan. While this threat is primarily browser-resident on Windows, the remote eval capability means additional payloads could have been delivered during the compromise window.

On Firefox (desktop and Android)

Firefox does not support PWA installation, the Contact Picker API, WebOTP, or Background Sync so much of this toolkit simply will not function. However, Firefox does support service workers and push notifications, meaning the notification-based C2 channel could still operate if a victim granted permissions. Clipboard monitoring would depend on page execution context and user interaction events, and is not guaranteed in background scenarios on Firefox.

  • Revoke notification permissions. Go to Settings > Privacy & Security > Permissions > Notifications > Settings, and remove any unfamiliar entries.
  • Remove the service worker. Navigate to about:serviceworkers and click Unregister next to any entry you do not recognise.
  • Clear site data. Go to Settings > Privacy & Security > Cookies and Site Data > Manage Data, search for the domain, and remove it. This wipes cached content and any queued exfiltration data.
  • On Firefox for Android, also check about:config is not accessible and review any home screen shortcuts that may have been added manually. Firefox on Android does allow “Add to Home screen” even without full PWA support.

On Safari (macOS and iOS)

Safari on iOS 16.4 and later supports PWA installation (“Add to Home Screen”) and push notifications, so the core phishing flow and notification-based C2 channel can work. However, Safari does not support the Contact Picker API, WebOTP, or Background Sync, which limits the toolkit’s passive surveillance capabilities.

  • Remove the PWA from your home screen. Long-press the Security Check icon and tap Remove App (or Delete Bookmark on older iOS versions).
  • Revoke notification permissions. On iOS: Settings > Safari > Notifications (or Settings > Notifications, and look for the PWA by name). On macOS: System Settings > Notifications > Safari.
  • Clear website data. On iOS: Settings > Safari > Advanced > Website Data, search for the domain, and delete it. On macOS: Safari > Settings > Privacy > Manage Website Data.
  • On macOS, also check Safari > Settings > Extensions for anything unfamiliar, and review any Login Items under System Settings > General > Login Items & Extensions.

Indicators of Compromise (IOCs)

File hashes (SHA-256)

  • 1fe2be4582c4cbce8013c3506bc8b46f850c23937a564d17e5e170d6f60d8c08  (sync.apk)

Domains

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.



Source link