Fake Google “Security Check” Turns Into Browser-Based RAT, Researchers Warn

CyberDefender 7 mins0

A malicious campaign is leveraging social engineering and browser capabilities to transform a fake Google Account “security check” into a highly capable browser-resident Remote Access Trojan (RAT). Unlike traditional malware that installs executables, this threat operates largely within the browser — abusing modern web APIs and browser features to harvest sensitive data and provide persistent access.

Threat Overview

What’s Happening?

Threat actors created a web page styled as a Google Account security check that lures users into thinking they are performing a legitimate safety verification. Once users interact with the page — often by following prompts that appear security related — the site:

  • installs itself as a Progressive Web App (PWA),
  • obtains permissions normally reserved for trusted applications,
  • and ultimately performs surveillance and exfiltration tasks without a native executable.

This is significant because no malware file needs to be downloaded in the traditional sense, and common antivirus products may not flag the behavior.

Technical Breakdown

1. Social Engineering First, Malware Second

The attack begins with a convincing UI that mimics Google’s security UI. This isn’t exploiting vulnerabilities — it’s abusing trust. Once the victim interacts:

  • A prompt appears to “install” a security check tool,
  • The site asks for push notification, contact access, and GPS location permissions,
  • Each permission is framed as a security step.

This social engineering flow is crafted to bypass user suspicion — leveraging trusted branding instead of software bugs.

2. PWA Installation & Hidden Surveillance

Progressive Web Apps (PWAs) are web apps that can run like native apps without showing a browser address bar. Once installed:

  • It removes the browser UI, making the malicious page look like a real app,
  • The service worker remains active after the tab is closed,
  • Push notifications become a covert command-and-control channel.

This effectively converts the browser into a persistent RAT platform with remote command capabilities.

3. Data Collection Capabilities

Once granted permissions, the toolkit can do the following:

Location & Contacts

  • Uses the browser’s location API to send GPS data to the attacker,
  • Leverages the Contact Picker API to harvest contact lists.

Clipboard & OTP Capture

  • The script monitors the clipboard on focus events,
  • Extracts one-time passwords (OTPs) — even those delivered via SMS — and sends them to the attacker.

Proxy & Network Access

  • The RAT can act as an HTTP proxy, routing internet requests through the victim’s browser,
  • This enables internal network scanning and traffic spoofing.

Remote Code Execution

  • Attackers can send arbitrary JavaScript to run on the victim’s browser via WebSockets — a stealthy way to issue further commands or change behavior.

Optional Native Component

For users who engage further, the site pushes an Android APK disguised as a “critical security update.” This native component requests a wide range of high-risk permissions, including:

  • SMS and call log access,
  • Microphone recording,
  • Accessibility services (often used for full device control).

This demonstrates a two-layer approach — a browser RAT followed by a native implant — expanding both reach and persistence.

Why This Attack Works

StrategyImpact
Brand impersonation (Google)Bypasses user skepticism
No downloadable exe requiredEvades many endpoint detections
Persistent service workerRemains active even when closed
Browser APIs abusedAccess to contacts, location, clipboard
Two-phase delivery (web + native)Enhanced persistence & capability

Defensive Measures

User Awareness

  • Legitimate account security checks don’t prompt installation of apps from random web pages.
  • Always verify alerts directly from the official account security dashboard (e.g., myaccount.google.com).

Revoke Permissions

If you suspect compromise:

  • Revoke push notification and site permissions from browser settings,
  • Remove unknown installed PWAs,
  • On Android, revoke suspicious apps and accessibility permissions.

Browser Hardening

  • Block unnecessary notification prompts,
  • Disable “Add to Home Screen” for unknown origins,
  • Use security extensions that monitor suspicious domain activity.

Threat Hunting

For analysts and defenders:

  • Look for unusual service worker registrations pointing to non-legitimate domains,
  • Monitor push notification subscriptions created outside known business flows,
  • Watch for outbound WebSocket traffic to suspicious endpoints.

Key Takeaways

  1. Modern web capabilities can be weaponized. Browsers are no longer passive viewers but active platforms that attackers can abuse.
  2. Social engineering remains one of the strongest vectors. Users trusting UI can be more dangerous than software vulnerabilities.
  3. Defenses must include user education and browser security policies.

CyberDefender