A website styled to look like a Google Account security page is distributing what Malwarebytes describes as one of the most fully featured browser based surveillance toolkits it has seen. The page appears as a routine security check and asks users to verify their account.
According to Malwarebytes, the attack does not use a browser flaw. It depends on people believing they are responding to Google. Victims are guided through a four step process that grants access to push notifications, contacts, GPS location and clipboard data, all without installing a traditional app.
Researchers at Malwarebytes say the scam impersonates Google’s account protection system and tricks people into installing a malicious web app. The site often uses a domain that appears legitimate, such as google prism dot com.
The infrastructure uses a single command and control domain, google prism dot com, routed through Cloudflare’s content delivery network. Cloudflare is widely used by both legitimate and malicious sites.
How Does The Web App Spy On Users?
The site prompts users to “install” the tool as a Progressive Web App, or PWA. Once installed, the browser address bar disappears and the page looks like a native Google app.
Malwarebytes explains that the site asks for notification permissions framed as enabling “security alerts”. It then uses the Contact Picker API, a legitimate browser feature, to request access to selected contacts. Network analysis shows those contacts are sent directly to the attacker controlled domain. The page also asks for GPS data under the guise of verifying identity from a trusted location, capturing latitude, longitude, altitude, heading and speed.
After installation, two pieces of code run. One works only when the fake app is open on the screen. It tries to read whatever you copy and paste, such as passwords or cryptocurrency wallet addresses. It also attempts to capture one time passwords sent to your phone through the WebOTP feature on supported browsers. It builds a profile of your device and checks in with the attacker’s server every 30 seconds. That essentially is the app watching what you type and regularly reporting back.
The second piece is called a service worker. This keeps running in the background even if you close the tab. It can receive hidden push notifications from the attacker and carry out instructions without you reopening the app. If your phone goes offline, it stores stolen data and sends it later when the internet connection comes back. That essentially is a background helper that keeps spying even when you think the page is gone.
More from News
- How Is Modern Tech Leading To “Smart Ships”, And How Does It Affect Insurers?
- Industry Reactions To The 2026 UK Spring Budget Statement
- What Will Rachel Reeves Announce In The 2026 Spring Statement? Experts Share Their Predictions
- Middle East Conflict Hits An AWS Data Centre – Can Cloud Platforms Withstand Geopolitical Disruption?
- How Does VCT Funding Influence Scaling Businesses And The UK Economy?
- Is There A Link Between Wet Weather And UK Workers’ Productivity?
- UK Female Founders Reveal That Human Connection Matters Most In Business
- Cybercrime Is Slowing Down, But Attacks Are Getting Faster, Smarter – Are Cybercriminals Shifting Strategies?
Malwarebytes also says the toolkit can turn a victim’s browser into a proxy. Through something called a WebSocket relay, attackers can send web requests through your browser as if they were you. And that essentially is criminals using your internet connection to visit websites or access systems, making their activity look like it came from your home or office.
The tool can also scan devices on your local network, such as other computers connected to the same WiFi. It checks common ports to see what is active. It can even run its own JavaScript commands directly on your device. That essentially gives the attacker remote control inside your browser, without needing to install a traditional programme.
What Happens If The Android App Is Installed?
For users who follow every prompt, the web layer delivers an Android APK disguised as an important security update. The download page claims it is “Version 2.1.0 · 2.3 MB · Verified by Google.” Malwarebytes says the actual file is a 122 KB package named com.device.sync and labelled “System Service”.
The APK requests 33 Android permissions, including SMS, call log, microphone and contacts access, along with accessibility service control. It contains a custom keyboard to capture keystrokes, a notification listener that can read incoming alerts, an accessibility service to observe screen content and an autofill service positioned to intercept credential requests.
To make removal harder, the app registers as a device administrator, sets a boot receiver to run on startup and schedules alarms to restart components if terminated. Malwarebytes says this campaign shows how attackers abuse legitimate browser features through social engineering rather than exploiting a flaw in Google’s systems.
How Can Users Protect Themselves?
Digital Trends reports that Google does not run security checks through random pop up pages. Real account security tools are available only through myaccount.google.com.
Malwarebytes advises users who may have installed the PWA to uninstall it, unregister any related service worker and revoke notification permissions. On Android, users should check for an app called System Service with the package name com.device.sync and revoke device administrator access before uninstalling.
Users are encouraged to change passwords for accounts where SMS based two factor authentication was used during the compromise window and to review autofill and notification settings. Running a scan with reputable mobile security software is also recommended.
