Cybersecurity provider Malwarebytes has thrown up a red flag regarding a fake Google Account security page that it says is distributing “what may be one of the most fully featured browser-based surveillance toolkits we have observed in the wild”, and it’s capable of infecting Windows, Apple, and Google Android devices.
In a blog post breaking down the methodology of the attack, Malwarebytes says that the infiltration begins with what appears to be a genuine Google Account security check, from a page with Google’s familiar stylesheet and with an official-looking domain.
A prompt then asks to install “security software” via a Progressive Web App (PWA) as part of a four-step process, which proceeds to gradually grant the attacker access to notifications, contact lists, real-time GPS location, and the contents of the host machine’s clipboard, among others.
If a victim installs the PWA and grants requested permissions to the site, simply closing the tab is not enough to prevent it from access. The page script itself runs as long as the app or tab is open, and attempts to read the clipboard, looking for “one-time passwords and cryptocurrency wallet addresses”. It also attempts to intercept SMS verification codes on mobile devices, and polls the API every 30 seconds as it waits for operator commands.
However, with the app and tab closed, a separate service worker runs malicious, data-stealing tasks in the background, and even queues stolen data locally if the device goes offline, before sending its payload as soon as the connection is restored.
(Image credit: skaman306 via Getty Images)
“Close the browser tab and the page script stops. Clipboard monitoring and SMS interception end immediately,” says Malwarebytes. “But the service worker remains registered. If the victim granted notification permissions, the attacker can still wake it silently, push a new task, or trigger a data upload without reopening the app. And if the victim ever opens it again, collection resumes instantly.”
The malware also operates as a WebSocket relay, which means it can act as an HTTP Proxy and be used to gain access to corporate networks, bypassing IP-based access controls and funnelling traffic through the victim’s IP address. “Once connected, the attacker can route arbitrary web requests through the victim’s browser as if they were browsing from the victim’s own network”, says Malwarebytes.
The fun doesn’t stop there, either. On Android devices, a separately-installed APK disguised as a “critical security update” includes a custom keyboard capable of capturing keystrokes, a notification listener for capturing two-factor authentication codes, an accessibility service that can observe screen content, and an autofill intercepting service to capture user credential fill requests. Oh, and microphone recording, of course. Fabulous.
Phew. It’s about as comprehensive as malware gets by the looks of things, and getting rid of it seems to be something of a convoluted process. Malwarebytes provides step-by-step removal instructions for Windows and macOS users, including Chrome, Firefox, and Safari-specific options, along with some Android and iOS-focused steps to take if you’ve been duped into falling for its charms on your mobile device.
It’s certainly one of the most nefarious-looking trojans I’ve ever read about, and the fact that it’s capable of gaining access to your system via most of the popular browsers on Windows, Apple, and Android devices is deeply concerning. Pay attention to what you’re clicking on, folks—it’s a dangerous world out there.
