Fake Google Security Alert Installs PWA That Steals MFA Codes

A phishing campaign posing as a Google Account security check is tricking users into installing a Progressive Web App (PWA) that functions as a full browser-based RAT — stealing MFA codes in real time, harvesting cryptocurrency wallets, and turning the victim's browser into a network proxy. This isn't your typical credential phishing page. What Happened Reported by Malwarebytes researcher Stefan Dasic in February 2026, the campaign operates from the domain google-prism[.]com , which presents victims with a convincing Google Account security page. Instead of simply harvesting credentials, the page prompts users to "install" a security app — actually a PWA that gains persistent access to the browser with extensive permissions. What makes PWA phishing particularly dangerous: once installed, the browser address bar disappears . The victim sees what appears to be a native Google application with no visible URL to verify legitimacy. Technical Breakdown The Attack Chain Initial lure — victim