A new phishing campaign is using a fake Google security check to steal passwords and other sensitive data from unsuspecting users.
Researchers at Malwarebytes warn that the scam impersonates Google’s account protection system, tricking victims into installing a malicious web app.
Once installed, the tool quietly collects credentials, one-time passcodes, and other personal information. The scam begins with a fake Google account security page designed to look authentic.
Victims are asked to complete a security verification step to protect their account. Instead of protecting their account, the process installs a rogue Progressive Web App (PWA), often through a domain designed to look legitimate, such as google-prism[.]com.
How the fake Google security page steals your data
Progressive Web Apps are normally used to make websites behave like installed applications. In this case, attackers abuse it to deploy a malicious app directly through the browser.
After installation, the PWA seeks permission to send notifications and access clipboard data and other browser functions, then deploys a service worker that enables push alerts, background operations, and sensitive data collection.
Researchers say it can steal login credentials, intercept OTPs used for multi-factor authentication, and harvest cryptocurrency wallet addresses. The tool may also access clipboard data, collect GPS location information, and capture other device details.
The attack can also turn a victim’s browser into a proxy that routes traffic for the attackers. This means cybercriminals can hide their activity behind the user’s device while continuing to monitor data from the compromised browser.
This incident highlights a broader trend in cybercrime, where even modern AI tools can be abused, with researchers showing that browsing-enabled chatbots can act as stealthy relays for malware traffic.
How to stay protected?
Google does not run security checks through random pop-up pages. If a “security alert” asks you to install software, enable notifications, or share contacts, close it. Real security tools are available only through your account at myaccount.google.com.
Staying safe requires paying close attention to security prompts and website addresses. You should always check the URL before entering login details and avoid installing unknown web apps.
Enabling two-factor authentication and using a password manager can also add extra protection if credentials are exposed.
Google is also stepping up defenses against emerging threats. The company recently flagged a new AI-powered malware that can rewrite its own code in real time.
This is why Chrome is testing Gemini-based anti-scam protection to automatically flag suspicious websites before users fall for phishing attacks.