Google Prism: Fake Security Checkup Turns Browsers Into Spyware

  • Kon
A visual representation of the Google Prism browser RAT showing a rat next to the Google logo.

Google Prism is a nasty piece of surveillance software recently uncovered by Malwarebytes. This campaign doesn’t rely on bugs or system exploits to get into your hardware. It uses a fake Google security page to trick you into handing over your data willingly.

Key Takeaways

  • Permission Trap: The site uses a fake security checkup to request access to your GPS location, contacts, and clipboard data.
  • PWA Trickery: Users are prompted to install a Progressive Web App. This protocol strips away the standard browser address bar so the interface mimics a native Google utility.
  • Always Watching: A background service worker stays active after the window closes. This channel processes push notification payloads and queues harvested data when offline.
  • Android Payload: Final verification steps attempt to drop an APK called System Service. This implant requests 33 high-risk permissions to record keystrokes and capture live microphone audio.

The PWA Strategy

This attack is all about social engineering. Once the PWA is on your home screen, the UI looks identical to a native Google interface. From there, it uses standard browser tools like the Contact Picker API to steal your phone book and the WebOTP API to grab your two-factor codes.

The most dangerous part is the WebSocket relay. This lets the attacker use your browser as a proxy. They can route their own traffic through your connection, making it look like they are browsing from your home or office IP address.

The Android Implant

If the web layer isn’t enough, the site offers a 122 KB file called com.device.sync. This System Service asks for 33 high-risk permissions, including:

  • Accessibility Services: To watch your screen and control other apps.
  • Custom Keyboard: To record everything you type.
  • Microphone Access: To record audio and track your calls.

How to Stay Safe

Malwarebytes points out that Google never runs security checks through random pop-up pages. You should only manage your account at myaccount.google.com.

If you think you’ve been hit, do this right away:

  1. Delete any Security Check apps from your home screen or browser settings.
  2. Turn off notification permissions for any sites you don’t know.
  3. Remove the System Service app on Android. You might need to turn off Device Admin rights in your settings first.
  4. Change your passwords if you used SMS codes or copied passwords to your clipboard while the app was installed.

Source: Research and imagery provided by Malwarebytes.

Enjoyed? Give a share!

Analysis Continues