Fake Google Security site uses PWA app to steal credentials, MFA codes

*A sophisticated phishingPhishing🛡️A social engineering attack using fake emails or websites to steal login credentials or personal info. campaign leveraging Progressive Web Apps demonstrates how attackers are exploiting legitimate browser technologies to bypass traditional security measures and compromise even MFA-protected accounts.*

The cybersecurity landscape continues to evolve at an alarming pace, with threat actors constantly developing new techniques to exploitExploit🛡️Code or technique that takes advantage of a vulnerability to cause unintended behavior, such as gaining unauthorized access. legitimate technologies for malicious purposes. The latest example comes from Malwarebytes researchers who have uncovered a particularly insidious phishing campaign that weaponizes Progressive Web Apps (PWAs)—a technology designed to improve user experience—to steal credentials and multi-factor authentication (MFA) codes from unsuspecting victims. This attack represents a troubling evolution in phishing methodology, one that exploits the trust users place in their browsers and the increasing legitimacy of web-based applications.

What Happened

According to security researchers at Malwarebytes, cybercriminals have launched a sophisticated phishing operation that masquerades as a Google security service. The attack begins with a fake Google Security website that tricks users into installing what appears to be a legitimate security application. However, this "app" is actually a malicious Progressive Web App that, once installed, operates with significant permissions that enable it to intercept sensitive information.

The malicious application identifies itself as "System Service" on infected devices, a deliberately generic name designed to avoid raising suspicions among victims who might notice it in their system settings. This naming convention is particularly clever, as many users have grown accustomed to seeing various system-related services running on their devices and may not question the presence of another one.

The PWA implementation allows the attackers to create an application-like experience that installs directly through the web browser without requiring users to visit traditional app stores like Google Play or the Apple App Store. This bypasses the security vetting processes that these platforms have in place, even though those processes are far from perfect themselves.

Once installed, the malicious PWA can capture user credentials and, more concerningly, MFA codes—effectively rendering one of our most trusted security measures useless. The fact that this attack can compromise MFA protection is particularly alarming, as many organizations and security professionals have long promoted multi-factor authentication as a near-foolproof method for securing accounts.

Malwarebytes researchers have provided detailed removal instructions for affected users, noting that the malicious app's capabilities vary significantly depending on the browser and operating system being used. On Chromium-based browsers like Google Chrome and Microsoft Edge running on Windows, the malware enjoys broader capabilities. However, on Firefox and Safari browsers, many of the malicious features are "severely restricted," though push notifications—which can be used for social engineeringSocial Engineering🛡️The psychological manipulation of people into performing actions or divulging confidential information, exploiting human trust rather than technical vulnerabilities. attacks—still function.

To remove the threat from Android devices, users must navigate to Settings > Security > Device admin apps and uninstall the malicious application. The researchers have also documented specific removal procedures for various desktop browsers, recognizing that the installation and persistence mechanisms differ across platforms.

Who Is Affected

This threat has a potentially wide-reaching impact across multiple user categories. The primary targets appear to be general consumers who use Google services—which, given Google's market dominance, encompasses billions of people worldwide. Anyone who might be convinced to install what appears to be a legitimate Google security application is at risk.

However, the implications extend far beyond individual users. Small and medium-sized businesses whose employees use personal devices for work purposes (a practice known as BYOD, or Bring Your Own Device) face significant risk. A single compromised employee credential could provide attackers with a foothold into corporate networks, especially if that employee has access to sensitive company resources or customer data.

Enterprise users represent another affected category, particularly those in organizations that haven't implemented robust security awareness training or endpoint protection solutions. While enterprise security teams typically deploy additional layers of protection, the human element remains the weakest link in any security chain.

The attack's cross-platform nature means that users of Chromium-based browsers (Google Chrome, Microsoft Edge, Brave, Opera, and others) on Windows systems face the highest risk, as the malicious PWA enjoys its fullest capabilities on these platforms. However, Safari and Firefox users aren't immune—they simply face a somewhat degraded version of the attack that still retains dangerous capabilities like push notification access.

Geographic distribution of this campaign remains unclear from available reporting, but given the attack's reliance on Google branding and the ubiquity of Google services worldwide, we can reasonably assume this is a global threat rather than one targeting specific regions or demographics.

Technical Analysis

The weaponization of Progressive Web Apps represents a significant evolution in phishing attack methodology and deserves careful examination from a technical perspective. PWAs were developed to bridge the gap between web applications and native apps, providing users with app-like experiences—including offline functionality, push notifications, and home screen installation—without the overhead of traditional app development and distribution.

From an attacker's perspective, PWAs offer several attractive characteristics. First, they bypass traditional app store security reviews, which, despite their imperfections, do provide a baseline level of scrutiny. Second, PWAs can be installed with just a few clicks directly from a website, significantly lowering the barrier to entry compared to convincing users to download and install traditional software. Third, once installed, PWAs can request various permissions and appear as legitimate applications in the user's system, complete with their own window frame and icon.

The ability to capture MFA codes represents the most troubling aspect of this attack. Multi-factor authentication has long been promoted as an essential security measure, and for good reason—it adds a critical second layer of defense beyond passwords alone. However, this attack demonstrates that MFA is not infallible, particularly when attackers can use man-in-the-middle techniques or real-time credential harvesting.

The malicious PWA likely functions as a sophisticated proxy, presenting users with convincing fake login pages while simultaneously forwarding the entered credentials to the legitimate Google services in real-time. When Google's systems respond by sending an MFA code to the user's registered device, the user enters this code into the fake interface, which then forwards it to complete the authentication process. This all happens quickly enough that the attacker can use the authenticated session before it expires.

The variation in capabilities across different browsers highlights the importance of browser security architectures. The fact that Firefox and Safari provide more restricted environments for PWAs suggests that their security models may be more conservative or that they implement certain permissions differently than Chromium-based browsers. However, the continued functionality of push notifications across all platforms indicates that some attack vectors remain viable regardless of the browser choice.

The use of "System Service" as the application name demonstrates sophisticated social engineering. This generic designation is designed to blend in with legitimate system processes, exploiting most users' lack of technical knowledge about what services should or shouldn't be running on their devices. It's a reminder that technical sophistication often takes a backseat to psychological manipulation in successful cyberattacks.

What This Means For You

If you're an individual user, this threat underscores several important security principles that deserve immediate attention. First, be extremely skeptical of any unexpected security warnings or prompts to install security applications, even if they appear to come from trusted companies like Google. Legitimate security updates from major technology companies typically happen automatically in the background or through official app stores—they don't require you to visit a website and install something manually.

Second, this attack demonstrates that MFA, while essential, is not a silver bullet. You should continue using MFA on all accounts that support it, but recognize that certain implementation methods are more secure than others. Hardware security keys (like YubiKeys) are significantly more resistant to phishing attacks than SMS-based codes or even authenticator app codes. If you protect high-value accounts—financial services, email, or work accounts—consider upgrading to hardware-based MFA.

Third, regularly audit the applications and services that have access to your accounts and data. On Android devices, periodically review Settings > Security > Device admin apps to ensure you recognize everything listed there. On desktop browsers, check your installed web apps and extensions. If you see anything you don't recognize or remember installing, research it before assuming it's legitimate.

For IT professionals and business owners, this attack carries additional implications for organizational security. Your security awareness training must evolve to address these more sophisticated phishing techniques. Employees need to understand that modern phishing attacks can be extraordinarily convincing and that trusting visual appearance alone is insufficient.

Consider implementing additional technical controls beyond user education. Browser management policies can restrict PWA installation, endpoint detection and response (EDR) solutions can identify suspicious behavior patterns, and network security tools can block access to known malicious domains. A defense-in-depth strategy that assumes users will occasionally fall for sophisticated phishing attempts is more realistic than relying solely on vigilance.

Your incident response procedures should also account for MFA compromise scenarios. Traditional response playbooks often assume that accounts protected by MFA remain secure, but this attack proves that assumption wrong. When investigating potential account compromises, check for unauthorized PWA installations and review authentication logs for suspicious patterns even on MFA-protected accounts.

Looking Ahead

The emergence of this PWA-based attack technique signals important trends in the cybersecurity threat landscape that will likely intensify in the coming months and years. As legitimate software development increasingly moves toward web-based technologies, we can expect attackers to follow. PWAs, WebAssembly, browser extensions, and other web platform features will continue to be weaponized because they offer attractive attack