A malicious campaign is leveraging social engineering and browser capabilities to transform a fake Google Account “security check” into a highly capable browser-resident Remote Access Trojan (RAT). Unlike traditional malware that installs executables, this threat operates largely within the browser — abusing modern web APIs and browser features to harvest sensitive data and provide persistent access.
Threat Overview
What’s Happening?
Threat actors created a web page styled as a Google Account security check that lures users into thinking they are performing a legitimate safety verification. Once users interact with the page — often by following prompts that appear security related — the site:
- installs itself as a Progressive Web App (PWA),
- obtains permissions normally reserved for trusted applications,
- and ultimately performs surveillance and exfiltration tasks without a native executable.
This is significant because no malware file needs to be downloaded in the traditional sense, and common antivirus products may not flag the behavior.
Technical Breakdown
1. Social Engineering First, Malware Second
The attack begins with a convincing UI that mimics Google’s security UI. This isn’t exploiting vulnerabilities — it’s abusing trust. Once the victim interacts:
- A prompt appears to “install” a security check tool,
- The site asks for push notification, contact access, and GPS location permissions,
- Each permission is framed as a security step.
This social engineering flow is crafted to bypass user suspicion — leveraging trusted branding instead of software bugs.
2. PWA Installation & Hidden Surveillance
Progressive Web Apps (PWAs) are web apps that can run like native apps without showing a browser address bar. Once installed:
- It removes the browser UI, making the malicious page look like a real app,
- The service worker remains active after the tab is closed,
- Push notifications become a covert command-and-control channel.
This effectively converts the browser into a persistent RAT platform with remote command capabilities.
3. Data Collection Capabilities
Once granted permissions, the toolkit can do the following:
Location & Contacts
- Uses the browser’s location API to send GPS data to the attacker,
- Leverages the Contact Picker API to harvest contact lists.
Clipboard & OTP Capture
- The script monitors the clipboard on focus events,
- Extracts one-time passwords (OTPs) — even those delivered via SMS — and sends them to the attacker.
Proxy & Network Access
- The RAT can act as an HTTP proxy, routing internet requests through the victim’s browser,
- This enables internal network scanning and traffic spoofing.
Remote Code Execution
- Attackers can send arbitrary JavaScript to run on the victim’s browser via WebSockets — a stealthy way to issue further commands or change behavior.
Optional Native Component
For users who engage further, the site pushes an Android APK disguised as a “critical security update.” This native component requests a wide range of high-risk permissions, including:
- SMS and call log access,
- Microphone recording,
- Accessibility services (often used for full device control).
This demonstrates a two-layer approach — a browser RAT followed by a native implant — expanding both reach and persistence.
Why This Attack Works
| Strategy | Impact |
|---|---|
| Brand impersonation (Google) | Bypasses user skepticism |
| No downloadable exe required | Evades many endpoint detections |
| Persistent service worker | Remains active even when closed |
| Browser APIs abused | Access to contacts, location, clipboard |
| Two-phase delivery (web + native) | Enhanced persistence & capability |
Defensive Measures
User Awareness
- Legitimate account security checks don’t prompt installation of apps from random web pages.
- Always verify alerts directly from the official account security dashboard (e.g., myaccount.google.com).
Revoke Permissions
If you suspect compromise:
- Revoke push notification and site permissions from browser settings,
- Remove unknown installed PWAs,
- On Android, revoke suspicious apps and accessibility permissions.
Browser Hardening
- Block unnecessary notification prompts,
- Disable “Add to Home Screen” for unknown origins,
- Use security extensions that monitor suspicious domain activity.
Threat Hunting
For analysts and defenders:
- Look for unusual service worker registrations pointing to non-legitimate domains,
- Monitor push notification subscriptions created outside known business flows,
- Watch for outbound WebSocket traffic to suspicious endpoints.
Key Takeaways
- Modern web capabilities can be weaponized. Browsers are no longer passive viewers but active platforms that attackers can abuse.
- Social engineering remains one of the strongest vectors. Users trusting UI can be more dangerous than software vulnerabilities.
- Defenses must include user education and browser security policies.
