A new and increasingly sophisticated phishing scam is putting internet users at risk by impersonating Google’s official security check process to trick people into installing malicious software. This scam, recently uncovered by cybersecurity researchers at Malwarebytes, targets individuals by presenting a convincing fake webpage that mimics Google’s account protection system. The deceptive site persuades visitors to complete a seemingly legitimate four-step process, claiming to enhance their Google account security and protect their devices. However, following these instructions can result in installing a malicious web application that silently spies on users and steals sensitive information.
The fraudulent webpage operates through the domain google-prism[.]com, a URL crafted to appear trustworthy and closely related to Google. The site instructs visitors to grant various permissions and install what is described as a security tool. In reality, this “tool” is a Progressive Web App (PWA), which runs within the browser but behaves like a standalone app on the user’s device. PWAs can open in separate windows, send notifications, and operate in the background, making them ideal for attackers to conduct covert surveillance and data theft.
Once installed, the malicious web app gains extensive access to the victim’s device. It can monitor clipboard activity, meaning it records anything the user copies and pastes—a particular threat for cryptocurrency users who often copy wallet addresses. Additionally, the app can collect contacts, track GPS location data, and attempt to intercept one-time login verification codes commonly used in two-factor authentication (2FA). These codes are crucial for securing accounts, and if attackers capture them along with passwords, they can gain unauthorized access to email, financial accounts, and cryptocurrency wallets.
The scam doesn’t stop at the browser level. The fake security page may also prompt users to download an accompanying Android app, disguised as a “critical security update.” This app requests a staggering 33 permissions, including access to text messages, call logs, contacts, microphone recordings, and accessibility features. Such permissions grant attackers extensive control—enabling them to read messages, capture keystrokes, monitor notifications, and maintain persistent access to the device. Although the Android app poses a significant risk, the malicious web app alone can collect sensitive information and operate silently within the browser.
This scam’s success hinges on exploiting user trust. Many people expect to receive security alerts from platforms like Google, especially when it concerns their email or cloud accounts. The attackers leverage this expectation by presenting a plausible security page, encouraging users to approve permissions and install the malicious app. Unlike traditional hacking methods that exploit software vulnerabilities, this attack relies on social engineering—tricking users into voluntarily granting access. Once granted, the browser itself starts acting on behalf of the attackers without the user’s knowledge.
One particularly alarming feature of the malicious app is its ability to route internet traffic through the victim’s browser. This means attackers can channel their online activities through the user’s device, making it appear as if the traffic originates from the victim’s home network. This tactic can further mask malicious operations and complicate tracking efforts. The app can also send fake security alerts or system warnings via notifications. When users click on these alerts, the app reactivates, creating additional opportunities to capture sensitive data such as login codes or clipboard contents.
In response to these findings, Google has confirmed that its security systems are designed to identify and block threats like this phishing campaign. Google’s Safe Browsing feature in Chrome alerts users when they attempt to visit dangerous sites, and Android devices with Google Play Services include Google Play Protect, which scans for known malware and blocks harmful apps—including those installed from third-party sources. Google also stated that no apps containing this malware have been detected on the official Google Play Store. Despite these protections, experts warn that Google Play Protect is not foolproof, and additional security measures are recommended.
Given the limitations of built-in protections, cybersecurity specialists advise users to install reputable antivirus software on all devices. Quality antivirus programs provide an extra layer of defense by detecting malicious downloads, suspicious browser activity, and phishing attempts before they cause serious harm. Acting as an early warning system, antivirus tools can help block dangerous apps and websites before they gain access to personal data or device functions.
To avoid falling victim to this scam and similar threats, users should adopt several key security habits. First and foremost, Google never prompts users to install security tools via pop-ups or unknown websites. If a page claims that your Google account requires a security check, the safest approach is to close the tab and navigate directly to your Google account settings by typing