Google Prism: Fake Security Checkup Turns Browsers Into Spyware

A visual representation of the Google Prism browser RAT showing a rat next to the Google logo.

Google Prism is a nasty piece of surveillance software recently uncovered by Malwarebytes. This campaign doesn’t rely on bugs or system exploits to get into your hardware. It uses a fake Google security page to trick you into handing over your data willingly.

Key Takeaways

  • Permission Trap: The site uses a security checkup to get access to your GPS, contacts, and clipboard.
  • PWA Trickery: It asks you to install a Progressive Web App (PWA). This hides the browser address bar so the site looks like a real Google app.
  • Always Watching: A background service worker stays active after you close the tab. It can push new tasks or steal data while the app is closed.
  • Android Payload: If you follow every step, it tries to get you to download an APK file disguised as a System Service to log your keys and record audio.

The PWA Strategy

This attack is all about social engineering. Once the PWA is on your home screen, the UI looks identical to a native Google interface. From there, it uses standard browser tools like the Contact Picker API to steal your phone book and the WebOTP API to grab your two-factor codes.

The most dangerous part is the WebSocket relay. This lets the attacker use your browser as a proxy. They can route their own traffic through your connection, making it look like they are browsing from your home or office IP address.

The Android Implant

If the web layer isn’t enough, the site offers a 122 KB file called com.device.sync. This System Service asks for 33 high-risk permissions, including:

  • Accessibility Services: To watch your screen and control other apps.
  • Custom Keyboard: To record everything you type.
  • Microphone Access: To record audio and track your calls.

How to Stay Safe

Malwarebytes points out that Google never runs security checks through random pop-up pages. You should only manage your account at myaccount.google.com.

If you think you’ve been hit, do this right away:

  1. Delete any Security Check apps from your home screen or browser settings.
  2. Turn off notification permissions for any sites you don’t know.
  3. Remove the System Service app on Android. You might need to turn off Device Admin rights in your settings first.
  4. Change your passwords if you used SMS codes or copied passwords to your clipboard while the app was installed.

Source: Research and imagery provided by Malwarebytes.

Enjoyed? Give a share!

You Might Like

Join the Discussion

Comments are moderated. Please review our Comment Policy.