A sophisticated phishing campaign has been documented by cybersecurity firm Malwarebytes, in which a website styled to impersonate a Google Account security page is used to distribute what researchers describe as one of the most capable browser-based surveillance toolkits they have encountered. The campaign, which targets Windows, iOS, and Android devices, exploits no software vulnerability whatsoever. That detail is what makes it so troubling.
According to Malwarebytes, the attack begins with a convincing replica of a Google security check page, complete with familiar design and an official-looking domain. Disguised as a routine security checkup, it walks victims through a four-step flow that grants the attacker push notification access, the device's contact list, real-time GPS location, and clipboard contents, all without installing a traditional app. The tool used to achieve this is a Progressive Web App, or PWA, a type of web application that modern browsers support natively.
PWAs are a legitimate technology, widely used by reputable services for their speed and offline capabilities. Here, however, they are weaponised in a way that strips away one of the browser's most important trust signals. The PWA runs in a separate window without a visible address bar or browser controls, making it look very similar to a native application and inspiring extra confidence. Once installed, victims have no easy visual cue that they are still inside a browser.
The capability set documented by researchers is extensive. The PWA layer alone, without any native installation, can harvest contacts, intercept one-time passwords, track GPS location, scan internal networks, and proxy traffic through the victim's device. The toolkit also checks a command-and-control server at regular intervals, and sends fake push notifications to lure the victim back into opening the app, keeping the data pipeline active. According to Malwarebytes, the focus is explicitly on stealing one-time passwords and cryptocurrency wallet addresses for financial fraud.
The campaign's infrastructure centres on the domain google-prism.com. The infrastructure uses a single command-and-control domain, google-prism[.]com, routed through Cloudflare's content delivery network, a service widely used by both legitimate and malicious sites. That routing makes blocking the domain considerably harder for network-level defences.
For Android users who follow every prompt, the threat escalates further. Those who follow all the steps are also offered an Android APK called System Service with the package name com.device.sync, presented as a critical security update, which requires 33 permissions, including access to SMS, call logs, microphone, contacts, and accessibility services, enabling complete device control. The Android APK extends those capabilities to keystroke capture, accessibility-based screen monitoring, and broader device-level surveillance through high-privilege permissions.
There is a legitimate counterpoint worth engaging with here. Privacy advocates and civil liberties groups have long argued that browsers accumulating ever-broader API capabilities, from geolocation to contact access to one-time password interception, creates an inherently expanding attack surface. That argument, sometimes dismissed by technology optimists as excessive caution, looks prescient in light of this campaign. As browsers gain more native APIs such as WebOTP, Contacts, and Geolocation, the attack surface for PWA-based threats will only grow. The question of how browser vendors and standards bodies govern these features deserves serious policy attention.
From a regulatory standpoint, Australia's Australian Cyber Security Centre has consistently encouraged both individuals and organisations to apply multi-layered protections, including scepticism toward unsolicited permission requests, regardless of how legitimate the requesting page appears. This campaign illustrates precisely why that guidance matters. The attack shows how attackers can abuse legitimate browser features through social engineering rather than exploiting a vulnerability in Google's systems. No patch is coming because nothing is technically broken.
Users should be aware that Google does not run security checks through pop-ups on web pages or request any software installation for enhanced protection features. All security tools are available through the Google Account at myaccount.google.com. If a website ever prompts you to install a security app as part of a verification process, that prompt is the threat itself. The safest response is to close the tab, verify your account status directly through myaccount.google.com, and report the domain to your internet service provider or a cybersecurity body.
The broader lesson from this incident sits at the intersection of technology design and individual responsibility. Calls for governments to mandate stricter browser API controls are understandable, and have merit. But regulatory responses to fast-moving threats are, by nature, slow. In the gap between the emergence of a technique and any legislative response, what protects people is awareness. This campaign is a reminder that the most carefully engineered security systems can be bypassed by a single well-timed prompt, and a willingness to click.