Malicious Google Security Prompt Steals Data from Edge Users: A Growing Concern for Cybersecurity
As tech enthusiasts, we're always on the lookout for potential security threats that could compromise our devices and data. Recently, a new phishing security vulnerability has emerged, targeting users of Microsoft Edge, PCs, and phones with a fake Google Account security page. Despite not relying on any bugs or exploits, this attack is particularly concerning due to its effectiveness and ease of use.
The malicious campaign, discovered by Malwarebytes, uses a convincing Google Account security page that looks like a standard security check to deploy a fully featured browser-based surveillance toolkit. The attack begins with a browser pop-up asking users to install a Security Check app published by "google-prism.com," which is not a legitimate Google URL. If a user installs the fake app, it arrives as a Progressive Web App (PWA) that looks surprisingly similar to a native Google app.
The PWA requests specific push notification permissions disguised as the enabling of security alerts, allowing the attackers to retain open communication even after the PWA is closed. A legitimate Contact Picker API is fed into the PWA, and the user is asked to select contacts with whom they'd like to share the security update. The contact info is then sent back to the attacker's domain. The last step, and perhaps the scariest, is a request for GPS location, which includes "latitude, longitude, altitude, heading, and speed." This information is all sent back to the attacker's domain.
What makes this attack particularly nasty is that closing the malicious PWA doesn't put an end to the vulnerability. When the app is open, it can read clipboards to try and find passwords and wallet addresses, intercepting SMS codes used for verification at the same time. When the app is closed, this portion isn't active, but a "service worker" remains active, handling push notifications, running background tasks embedded in push payloads, and queuing stolen data locally when the device goes offline.
The service worker continues operating even after closing the PWA, allowing it to wake and execute tasks where those features are supported and registered. This means that while you can stop the clipboard and SMS data harvesting by closing the PWA, the service worker can still trigger data uploads and push new tasks.
But that's not all - bad actors can also use your browser as if it's their own by making it look like their web traffic is coming from your IP address. This is achieved via a connection to a WebSocket relay with the installed malware acting as a proxy.
So, how do you know if your Windows PC has been compromised? Malwarebytes provides steps to check for and remove the malicious PWA, which includes running a scan on your device and checking for suspicious activity.
In conclusion, this malicious Google security prompt is just one example of how malware is evolving to become more sophisticated and difficult to detect. Without relying on bugs or exploits, this attack highlights the importance of being cautious when interacting with unsolicited pop-ups and apps. As cybersecurity threats continue to grow in complexity, it's essential to stay informed and take proactive measures to protect yourself and your devices.
Join the discussion in our Reddit community at r/WindowsCentral to share your thoughts on this malicious campaign and how you're staying safe online.