Cybercriminals are launching phishing attacks using fake Google security pages and malicious Progressive Web Apps to steal OTPs, cryptocurrency wallet data and personal information.
 |
| Researchers warn that phishing websites mimicking Google security pages are installing malicious web apps that collect OTPs, crypto wallet addresses and device data. Image: CH |
Tech Desk — March 6, 2026:
A sophisticated phishing campaign targeting users of Google services is raising fresh concerns among cybersecurity experts, as attackers deploy fake websites designed to closely imitate official Google security verification pages.
Researchers from Malwarebytes say cybercriminals are building fraudulent websites that replicate the appearance of legitimate Google security interfaces. These pages attempt to convince users that they must complete a security verification process. During that process, victims are prompted to install what appears to be a security-related application. In reality, the software functions as a malicious program designed to collect sensitive information from the user’s device.
The attack strategy highlights how modern cybercrime increasingly relies on deception rather than technical vulnerabilities. According to researchers, the campaign does not exploit any flaw in Google’s software infrastructure. Instead, attackers register web domains that resemble official Google security addresses and design pages that visually mimic genuine verification systems. This method allows criminals to exploit user trust in widely recognized technology brands.
A key element of the attack involves the use of Progressive Web Apps, commonly known as PWAs. These applications are web-based programs that behave similarly to traditional mobile apps once installed. When a PWA is launched, it opens in a standalone window and removes typical browser features such as the address bar or navigation buttons. This interface design makes the application appear more like a legitimate installed app, which can make it harder for users to recognize that the program originates from a suspicious website.
Once installed, the malicious PWA begins collecting various forms of sensitive data from the device. Researchers say the program targets authentication codes, particularly one-time passwords used for account verification. By capturing these codes, attackers may be able to bypass multi-factor authentication systems that protect email accounts, financial platforms and cryptocurrency services. The application also seeks cryptocurrency wallet addresses and other valuable digital credentials that could enable financial theft.
In addition to authentication codes and wallet data, the software gathers detailed information about the device itself. This includes data that helps attackers build a comprehensive digital identity profile of the victim’s device. Such profiles can be used to conduct further attacks, impersonate users online or bypass security measures that rely on device recognition. Some compromised devices may also be used to launch additional malicious activities through the victim’s browser, expanding the reach of the attack beyond the initial target.
The focus on cryptocurrency-related information reflects the increasing financial incentives behind modern cybercrime. Digital assets have become an attractive target for attackers because transactions are often irreversible and can be conducted quickly across borders. Once stolen, cryptocurrency funds are typically difficult to recover, making them particularly valuable to cybercriminal networks.
Security experts warn that legitimate Google security features are only accessible through official addresses linked to Google accounts. Any unexpected request to install a security application should be treated with caution. Researchers also advise users to review installed apps on their devices and immediately remove any unfamiliar program labeled “Security Check,” which may be linked to the phishing campaign.
The emergence of phishing attacks built around Progressive Web Apps demonstrates how cybercriminals are adapting to evolving internet technologies. While PWAs offer legitimate benefits for developers and users, their ability to mimic native applications also provides new opportunities for deception. As digital services become increasingly integrated into daily life, experts say the challenge of cybersecurity will continue to revolve not only around technological safeguards but also around protecting users from increasingly sophisticated forms of social engineering.