How Malicious PWAs Turn Browsers into Cybercriminal Tools

How Malicious PWAs Turn Browsers into Cybercriminal Tools

Alex Cipher's Profile Pictire Alex Cipher 9 min read

A fake Google Security site recently made headlines for its cunning use of a Progressive Web App (PWA) to steal credentials and multi-factor authentication (MFA) codes, demonstrating just how far cybercriminals will go to exploit both technology and human trust. By mimicking legitimate services and leveraging advanced browser permissions, attackers have transformed the humble browser into a launchpad for sophisticated attacks. The campaign, distributed via phishing domains like google-prism[.]com, lures users into installing a malicious PWA that operates almost indistinguishably from a real app—right down to its standalone window and convincing security prompts.

What makes this threat especially alarming is the way it weaponizes legitimate browser APIs—such as Notifications, Clipboard, and WebOTP—to harvest sensitive data, intercept one-time passcodes, and even turn the victim’s browser into a proxy for internal network attacks. Unlike traditional malware, these attacks don’t rely on exploiting software vulnerabilities; instead, they count on users granting permissions under the guise of enhanced security. This blend of technical sophistication and social engineering marks a new chapter in browser-based threats, with real-world consequences for both individuals and organizations.

How Malicious PWAs Turn Your Browser Into a Cybercriminal’s Playground

Weaponizing Progressive Web App (PWA) Features for Malicious Control

Progressive Web Apps (PWAs) have been widely adopted for their ability to deliver app-like experiences directly through the browser, blurring the lines between web and native applications. Cybercriminals have exploited these capabilities by crafting malicious PWAs that mimic legitimate services, such as Google Security, and then leveraging their advanced permissions to compromise user security. These malicious PWAs are distributed via phishing campaigns, such as those using the domain google-prism[.]com, which masquerades as an official Google security service.

PWAs can request a range of permissions typically reserved for trusted applications, including access to notifications, clipboard data, and device sensors. Once installed, these malicious apps operate in a standalone window, often without visible browser controls, increasing the likelihood that users will perceive them as legitimate and trustworthy. The attackers exploit social engineering tactics to convince users to grant these permissions under the pretense of enhancing device security.

Exploiting Browser APIs for Data Exfiltration and Surveillance

Malicious PWAs take advantage of browser APIs to harvest sensitive user data and maintain persistent access to compromised systems. The following table summarizes key APIs and their malicious uses:

API/FeatureMalicious UseImpact
Notifications APIPushes fake security alerts, triggers app openingSocial engineering, increased persistence
Clipboard APIReads copied text/images while app is openTheft of credentials, crypto wallet data
WebOTP APIIntercepts SMS-based OTP codesBypassing MFA, account takeover
Periodic Background SyncMaintains background connectivityContinuous command & control
Geolocation APITracks real-time GPS dataSurveillance, physical tracking

Attackers use these APIs to collect one-time passcodes (OTPs), cryptocurrency wallet addresses, device fingerprints, contact lists, and even real-time location data. For example, the malicious PWA described in the campaign can exfiltrate contacts, clipboard contents, and GPS data, all while running in the background or when prompted by notifications.

Turning the Victim’s Browser into a Proxy and Internal Network Scanner

One of the most insidious capabilities of these malicious PWAs is their ability to transform the victim’s browser into a proxy for the attacker. By leveraging service workers and WebSocket relays, the malware can route attacker-controlled web requests through the victim’s browser as if the attacker were present on the local network. This enables a range of advanced attacks, including:

  • HTTP Proxying: The malware executes fetch requests with attacker-specified methods, headers, credentials, and body data, returning the full response—including headers—to the attacker. This allows the attacker to interact with internal resources, bypass network segmentation, and potentially exploit internal services.
  • Internal Port Scanning: The PWA can scan the victim’s local network to identify live hosts and open ports, mapping the internal infrastructure for further exploitation or lateral movement.

This proxying ability is particularly dangerous because it does not require the attacker to exploit any browser vulnerabilities; instead, it relies on legitimate browser features and user-granted permissions.

Maintaining Persistence and Command Execution via Service Workers

Malicious PWAs employ service workers—background scripts that run independently of the web page—to maintain persistence and execute attacker commands. Service workers can handle push notifications, synchronize data in the background, and process commands received from the attacker’s command-and-control (C2) infrastructure.

Key persistence and command execution techniques include:

  • Push Notifications: Used to deliver new tasks, fake alerts, or prompt the victim to reopen the malicious app, thereby re-enabling access to sensitive APIs.
  • Periodic Background Sync: Allows the attacker to maintain ongoing communication with the compromised device, even when the app is not actively in use.
  • WebSocket Relays: Facilitate real-time command execution and data exfiltration, as well as proxying attacker traffic through the victim’s browser.

The following table illustrates the persistence mechanisms leveraged by malicious PWAs:

Persistence MechanismFunctionalitySecurity Impact
Service WorkerRuns background tasks, handles notificationsStealthy command execution
Background SyncMaintains C2 connectivityOngoing attacker access
Notification PermissionsTriggers user interaction, reopens appRe-enables data theft capabilities

Bypassing Traditional Security Controls and Exploiting Human Trust

Unlike traditional malware, malicious PWAs do not exploit software vulnerabilities or require privilege escalation. Instead, they rely on the user’s willingness to grant permissions, often under the guise of a security upgrade or protection feature. This approach allows attackers to bypass many endpoint security controls, as the actions taken by the PWA appear legitimate from the perspective of the operating system and browser.

The attack flow typically involves:

  1. Phishing Lure: Victims are directed to a fake security site mimicking Google’s branding.
  2. Permission Requests: The site requests risky permissions (notifications, clipboard, geolocation) as part of a staged “security check.”
  3. PWA Installation: The user is prompted to install the malicious PWA, which then operates with elevated privileges.
  4. Ongoing Exploitation: The attacker uses notifications and background sync to maintain access and exfiltrate data.

This method is highly effective due to the increasing normalization of PWA installations and the trust users place in familiar brands and browser prompts. The attackers’ reliance on social engineering, rather than technical exploits, makes detection and prevention more challenging for traditional security solutions.

Comparative Analysis: Malicious PWA vs. Traditional Browser-Based Attacks

To contextualize the threat posed by malicious PWAs, it is useful to compare their capabilities with those of traditional browser-based attacks, such as malicious extensions or drive-by downloads.

Attack VectorInstallation MethodPersistenceData AccessDetection Difficulty
Malicious PWAUser-installed via phishingService workers, syncClipboard, OTP, contacts, GPSHigh (appears legitimate)
Malicious ExtensionInstalled from store/linkExtension backgroundBrowsing data, credentialsMedium (extension reviews)
Drive-by DownloadExploit-based, stealthMalware persistenceSystem files, credentialsLow (antivirus detection)

Malicious PWAs stand out due to their ability to operate with minimal user suspicion, their use of legitimate browser APIs, and their deep integration with browser features. Unlike extensions, which may be subject to store reviews and can be more easily identified by security software, PWAs are installed directly from the web and can evade many traditional detection mechanisms.

Advanced Social Engineering and Multi-Stage Attack Chains

The sophistication of malicious PWA campaigns is further demonstrated by their use of advanced social engineering and multi-stage attack chains. Attackers design multi-step setup processes that mimic legitimate security workflows, gradually escalating permission requests and encouraging users to install additional components, such as companion Android apps.

Notably, the Android companion app distributed alongside the malicious PWA requests 33 high-risk permissions, including access to SMS, call logs, microphone, contacts, and accessibility services. This enables comprehensive device compromise and financial fraud, extending the attacker’s reach beyond the browser and into the victim’s mobile ecosystem.

The attack chain can be summarized as follows:

  1. Initial Phishing: Victim visits fake security site.
  2. PWA Installation: User grants permissions and installs PWA.
  3. Permission Escalation: PWA requests additional permissions over time.
  4. Companion App Delivery: Victim is prompted to install an Android APK with extensive permissions.
  5. Full Compromise: Attacker gains persistent access to browser and device data.

This multi-stage approach increases the likelihood of successful compromise and data theft, as each step is framed as a legitimate security enhancement.

Leveraging Device Fingerprinting and Real-Time Monitoring

Malicious PWAs often build detailed device fingerprints, collecting information about the victim’s hardware, software, network environment, and user behavior. This data is used to tailor attacks, evade detection, and maximize the value of stolen information.

Device fingerprinting involves collecting:

  • Browser version and capabilities
  • Operating system details
  • Installed fonts and plugins
  • Network IP addresses and topology
  • Active user sessions and authentication tokens

By combining device fingerprinting with real-time monitoring of clipboard contents, OTP codes, and notifications, attackers can execute highly targeted attacks, such as intercepting cryptocurrency transactions or bypassing multi-factor authentication at the precise moment the victim is most vulnerable.

Browser and Platform-Specific Limitations and Exploitation

While the malicious PWA described in the campaign is most effective on Chromium-based browsers (such as Chrome and Edge), its capabilities are more limited on Firefox and Safari. For example, on Firefox and Safari, the PWA’s ability to run background tasks and access certain APIs is restricted, though push notifications remain functional. This highlights the importance of browser architecture in determining the impact of malicious PWAs.

BrowserPWA CapabilitiesAttack Surface
Chrome/EdgeFull API access, background sync, proxyingHigh
Firefox/SafariLimited API access, notifications onlyModerate

Despite these limitations, the attackers adapt their techniques to maximize the effectiveness of their campaigns across different platforms, using notifications to lure victims back into the PWA and re-enable data theft features.

Summary Table: Malicious PWA Attack Lifecycle

StageAttacker ActionVictim Impact
PhishingDirects user to fake security siteUser trust exploited
Permission RequestRequests notifications, clipboard, geolocationElevated app privileges
PWA InstallationInstalls standalone malicious appPersistent background access
Data HarvestingSteals OTP, clipboard, contacts, GPSCredential and data theft
Proxy/Port ScanningUses browser as proxy, scans internal networkNetwork mapping, lateral movement
Notification LuresSends fake alerts to reopen appRepeated exploitation opportunities
Companion App DeliveryPrompts Android APK installationFull device compromise

This lifecycle underscores the versatility and danger of malicious PWAs, which exploit both technical features and human psychology to transform the browser into a powerful tool for cybercriminals.

Final Thoughts

The rise of malicious PWAs like the fake Google Security site is a wake-up call for anyone who relies on browsers for daily tasks—which, let’s face it, is nearly everyone. These attacks blur the line between trusted applications and cleverly disguised threats, using the very features designed to improve user experience as tools for exploitation. The campaign’s ability to bypass traditional security controls, maintain persistence through service workers, and escalate attacks with companion Android apps underscores the need for heightened vigilance and user education.

As browsers continue to evolve and integrate more powerful APIs, the security community must adapt just as quickly—rethinking detection strategies, refining permission models, and empowering users to recognize social engineering tactics. The battle for browser security is far from over, but understanding the anatomy of these attacks is a crucial first step toward staying one step ahead.

References