- Attackers abuse Progressive Web Apps (PWAs) on Android
- Victims lured via phishing site google prism[dot]com to install malicious PWA
- PWA harvests clipboard, crypto wallets, OTPs, GPS and more
Threat actors have started turning to Progressive Web Apps (PWA) to do their evil bidding on Android, stealing login credentials, cryptocurrency wallet data, GPS information and more, experts have warned.
Malwarebytes security researchers recently described one such campaign they saw in the wild, starting with a phishing email that lures people to a fake Google website google prism[dot]com.
Under the guise of increased security, victims are led through a four-step “security check” that includes the installation of a malicious PWA.
Collection of data
For those who are not aware of PWAs, these are websites that can be installed and run as regular apps on the device, but operate through the web browser.
Once installed, the PWA asks for permissions to send notifications, access clipboard data and other browser features, and configures a service worker to enable push notifications, background tasks, and data sharing.
At this point, the malware starts collecting data when the app is open. Clipboard contents, cryptocurrency wallet addresses, one-time passwords via the WebOTP API, contacts, GPS data, and device fingerprint details are all harvested. But since the information can only be collected while the app is open, the PWA also starts sending push notifications to the victim.
The PWA would also establish a WebSocket-based relay and HTTP proxy capability, allowing the attackers to route web requests, scan internal networks, and even access local resources.
In some cases, Malwarebytes said, the victim is also prompted to download a “companion app” advertised as a “critical security update,” which requests extensive permissions and registers as a device administrator.
This app, of course for the more gullible, enables deeper compromise, including SMS interception, keystrokes via a custom keyboard, notification monitoring, credential theft, and long-term persistence.
If you happen to have installed such an app, you can remove it by looking for a “Security Check” entry in the list of installed apps. If your device has an app called “System Service” with a package name of com.device.sync, and if it has administrator access, remove the access by going to Settings – Security – Device admin apps, then uninstall it.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
