New Phishing Campaign Uses Fake Google Security Page and PWA App to Steal MFA Codes

New Phishing Campaign Uses Fake Google Security Page and PWA App to Steal MFA Codes

A sophisticated phishing operation is using convincingly crafted fake Google Account security pages to deliver Progressive Web Apps (PWAs) capable of stealing one-time passcodes, harvesting cryptocurrency wallet addresses, and proxying attacker traffic through victims' browsers in real time.

What Happened

Security researchers have uncovered a phishing campaign that creates near-perfect replicas of Google's Account security page to trick users into installing a malicious Progressive Web App. Once installed, the PWA operates silently in the background, intercepting multi-factor authentication codes, monitoring clipboard activity for cryptocurrency wallet addresses, and routing attacker traffic through the victim's browser to mask the origin of further malicious activity.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

The attack begins with a phishing email or message that warns the user of suspicious activity on their Google Account, directing them to what appears to be a legitimate Google security page. The page prompts users to install a 'security verification' app — actually a malicious PWA — that requests minimal permissions but operates with significant capabilities once active.

What makes PWA-based attacks particularly dangerous is that they bypass traditional app store security reviews. Unlike native mobile apps, PWAs can be installed directly from a website without going through Google Play or the Apple App Store, meaning there is no automated security scanning or human review process to catch malicious functionality before it reaches the user's device.

Background and Context

Progressive Web Apps represent a gray area in mobile security. Designed to provide app-like experiences through web technology, PWAs can be installed on devices, work offline, and access device features — all without going through traditional app distribution channels. This makes them powerful tools for legitimate developers but also increasingly attractive to attackers.

The use of PWAs in phishing campaigns has been documented since at least 2023, but the sophistication of this latest campaign represents a significant evolution. Previous PWA phishing attacks typically created simple credential harvesting pages. This campaign uses the PWA as a persistent implant that continues operating after the initial phishing interaction, providing ongoing access to sensitive data including real-time MFA codes.

The targeting of MFA codes is particularly concerning because multi-factor authentication is widely recommended as one of the most effective defenses against account compromise. By intercepting one-time passcodes in real time, the attackers can bypass MFA protections and gain full access to victims' accounts — including email, cloud storage, and enterprise productivity software connected to Google accounts.

Why This Matters

This campaign represents a convergence of several concerning trends in cybersecurity: the exploitation of trusted brand names, the abuse of legitimate web technologies, and the real-time bypassing of multi-factor authentication. Together, these techniques create an attack that is difficult for both users and automated security systems to detect.

The MFA bypass capability is the most alarming element. Organizations and individuals have invested heavily in MFA adoption over the past several years, and it remains one of the most effective security controls available. Attacks that can intercept and use MFA codes in real time undermine the fundamental security guarantee of multi-factor authentication and may require a shift toward phishing-resistant authentication methods like hardware security keys and passkeys.

The cryptocurrency wallet harvesting component adds a financial dimension to the attack. By monitoring clipboard activity, the PWA can detect when a user copies a cryptocurrency wallet address and silently replace it with an attacker-controlled address. Given the irreversible nature of cryptocurrency transactions, victims may not realize they have been robbed until it is too late to recover their funds.

Industry Impact

Google faces pressure to address the PWA security gap. While the company cannot prevent websites from offering PWA installations, it can improve Chrome's warnings about PWA installations from untrusted sources, implement more robust permission controls for PWAs, and develop better detection mechanisms for PWAs that exhibit suspicious behavior patterns.

The cybersecurity industry is responding with new detection capabilities specifically designed to identify malicious PWAs. Endpoint protection platforms are being updated to monitor PWA installations, analyze PWA behavior, and flag suspicious activities like clipboard monitoring and MFA code interception.

For organizations using Google Workspace alongside tools like an affordable Microsoft Office licence, this attack highlights the importance of comprehensive security awareness training that covers not just traditional phishing but also PWA-based threats. Users need to understand that app-like experiences delivered through the browser can be just as dangerous as malicious native applications.

The authentication industry is accelerating its push toward phishing-resistant methods. Hardware security keys (FIDO2/WebAuthn) and passkeys are immune to this type of MFA interception because they use cryptographic challenge-response mechanisms that cannot be proxied through an attacker's system. Organizations serious about protecting against advanced phishing should prioritize migration to these technologies.

Expert Perspective

Security researchers describe this campaign as a wake-up call for the industry's reliance on SMS and app-based one-time passcodes for MFA. While any form of MFA is better than passwords alone, time-based and SMS codes are fundamentally vulnerable to real-time interception attacks. The long-term solution is migration to phishing-resistant authentication methods, but the transition will take years given the installed base of legacy systems.

Browser security experts note that PWA permissions models need significant improvement. Currently, PWAs can access clipboard data, run background processes, and operate with minimal user visibility — capabilities that are valuable for legitimate apps but dangerous when exploited by attackers. Stricter permission prompts and sandboxing could mitigate these risks.

What This Means for Businesses

Organizations should update their security awareness training to include information about PWA-based phishing attacks. Employees need to understand that installing a 'security app' from a website — even one that appears to be from Google — is a significant security risk. IT departments should consider implementing policies that restrict PWA installations on managed devices.

Businesses running genuine Windows 11 key environments should ensure that browser security settings are configured to warn users about PWA installations and that endpoint protection tools are updated to detect malicious PWA behavior. Migration to phishing-resistant MFA methods like hardware security keys should be prioritized for high-value accounts.

Key Takeaways

• Fake Google security pages are being used to deliver malicious PWAs that steal MFA codes in real time
• The PWA also monitors clipboards for cryptocurrency wallet addresses and proxies attacker traffic
• PWAs bypass app store security reviews, making them attractive to attackers
• Traditional MFA using one-time codes is vulnerable to this type of real-time interception
• Organizations should update security training and consider restricting PWA installations on managed devices
• Migration to phishing-resistant authentication (hardware keys, passkeys) provides the strongest protection

Looking Ahead

PWA-based phishing is likely to become more prevalent as attackers recognize its advantages over traditional approaches. Browser vendors will need to implement stronger security controls around PWA installations and permissions. In the meantime, organizations should treat the migration to phishing-resistant MFA as an urgent priority rather than a long-term aspiration.