A convincing phishing campaign is posing as a Google security check, tricking people into installing a malicious web app that harvests one-time codes, clipboard contents and other sensitive data by abusing permissions you grant yourself. This article explains how the scam works, what the malicious app can do, what Google says about protections, and practical steps you can take to spot and remove these threats.
Attackers have set up a fake security page that mimics Google’s account protection flow, guiding visitors through what looks like a legitimate verification process. The page asks users to approve permissions and install a Progressive Web App that appears harmless but runs in its own browser window. Because the app runs through the browser, it can act like a regular program while hiding its true purpose.
Once installed, the malicious web app can read the clipboard, collect contacts, track GPS location and try to intercept one-time login codes commonly used for two-factor authentication. That combination lets criminals capture the short codes sent to your phone and combine them with stolen passwords to break into accounts. The app can also route web traffic through your browser so activity appears to come from your device and home network.
Researchers also found an Android companion titled as a “critical security update” that requests a long list of permissions, reportedly 33 in total. Those permissions include access to text messages, call logs, contacts, microphone recordings and accessibility features. With that level of access, an app can read messages, capture keystrokes and monitor notifications, giving attackers a persistent foothold on a device.
The scam succeeds because it looks like a normal security prompt from a trusted brand and users expect occasional account checks from big services. Instead of exploiting a software bug, attackers rely on social engineering to get users to grant the app the capabilities it needs. Once permissions are granted, the browser or device behaves as an accomplice without any obvious sign of compromise.
“We can confirm that Safe Browsing in Chrome warns any user who tries to visit this site. Chrome also shows a confirmation dialog whenever anyone attempts to download an APK. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.”
Even with those built-in protections, no single defense is perfect. Google Play Protect and Safe Browsing can block many threats but historically have not caught everything, especially apps sideloaded from outside official stores. That gap is why layered defenses, including reputable antivirus tools and cautious habits, still matter for most users.
Trust your instincts if a pop-up or unfamiliar page claims your account needs a quick security check. Close the tab and navigate to your account settings by typing the official address yourself rather than clicking through prompts. Visiting the real account page prevents redirection to lookalike domains that are designed to capture credentials and permissions.
Watch the site address carefully; phishing pages often use domains that look nearly identical to real ones but contain subtle differences. If the domain is not an official Google address, do not proceed. Attackers count on people clicking quickly while ignoring the address bar, so a small typo or extra word can be the red flag you need to stop and think.
If a web-installed app opens like a standalone program, check your browser’s list of installed apps and extensions and remove anything unknown or unrecognized. On Android, be wary of apps named “Security Check” or “System Service” and review requested permissions closely. Uninstall suspicious apps immediately and revoke permissions to stop further data collection.
Password managers help by creating and storing unique passwords and by refusing to autofill credentials on lookalike domains, which makes it harder for phishing sites to harvest logins. For two-factor authentication, prefer authenticator apps that generate codes on your device rather than SMS codes that can be intercepted. Those steps significantly reduce the odds of attackers turning a single stolen password into full account access.
Keep a close eye on your accounts for unusual activity after any suspicious interaction: watch for login alerts, password reset notifications or unexpected transactions. Acting quickly is crucial to limit potential damage and regain control if attackers attempt to use captured codes or clipboard data. Regularly reviewing permissions and installed software is a simple, effective habit for preventing long-term compromises.
Attackers are shifting tactics from exploiting software flaws to exploiting trust, impersonating familiar brands to persuade people into installing malware themselves. Preventing these scams will require stronger safeguards around what web apps can do and faster action against impersonation sites. Stay cautious, maintain layered defenses and treat surprise security prompts as potential traps rather than helpful warnings.
