- Attackers are abusing Progressive Web Apps (PWAs) on Android
- Victims lured via phishing site google-prism[dot]com into installing malicious PWA
- PWA harvests clipboard, crypto wallets, OTPs, GPS, and more
Threat actors have begun turning to Progressive Web Apps (PWA) to do their evil bidding on Android, stealing login credentials, cryptocurrency wallet data, GPS information, and more, experts have warned.
Security researchers from Malwarebytes recently detailed one such campaign they spotted in the wild, starting with a phishing email, luring people to a fake Google site google-prism[dot]com.
Under the pretense of enhanced security, the victims are walked through a four-step “security” check that includes installing a malicious PWA.
Harvesting the data
For those unaware of PWAs, these are websites that can be installed and run like regular apps on the device but operate through the web browser.
Once installed, the PWA asks for permissions to send notifications, access clipboard data, and other browser features, and sets up a service worker to enable push notifications, background tasks, and data staging.
At this point, the malware starts collecting data whenever the app is open. Clipboard contents, cryptocurrency wallet addresses, one-time passwords via the WebOTP API, contacts, GPS data, and device fingerprinting details, are all being harvested. But since the information can be gathered only while the app is open, the PWA will start sending push notifications to the victim, as well.
The PWA would also establish a WebSocket-based relay and HTTP proxy capability, so that the attackers can route web requests, scan internal networks, and even access local resources.
In some cases, Malwarebytes said, the victim is also encouraged to download a “companion app” advertised as a “critical security update” which requests extensive permissions and registers as a device administrator.
This app, obviously for the more gullible ones, enables deeper compromise, including SMS interception, keystroke capture via a custom keyboard, notification monitoring, credential theft, and long-term persistence.
If, by any chance, you’ve installed such an app, you can remove it by looking for a “Security Check” entry in the list of installed apps. If your device has an app called “System Service” with a package name com.device.sync, and if it has admin access, remove the access by going to Settings – Security – Device admin apps, and then uninstall it.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/NGKiUcJVFBC8HkMp9dTo9a-1920-80.jpg
Source link
