Malicious Fake Google Security Page Installs Spying Web App

Security researchers at Malwarebytes have uncovered an active phishing site using the domain google-prism[.]com that impersonates a legitimate Google account‑protection page and walks users through a fake four‑step 'security' setup. The site persuades visitors to grant permissions and install what it claims is a Google security tool, which is actually a malicious Progressive Web App that runs in the browser like a standalone app, can send notifications, and operates in the background. Once installed, the web app can read clipboard contents, harvest contacts, track GPS location, and attempt to capture one‑time login codes used for two‑factor authentication, effectively turning the victim’s own browser into a spying tool without exploiting any software vulnerability. The fake page may also offer an Android 'critical security update' companion app that requests 33 powerful permissions, including access to SMS, call logs, microphone recordings, contacts and accessibility features, allowing keylogging, message reading and deep device monitoring. Because the attack relies entirely on social engineering and user‑granted permissions, it can evade traditional expectations of a “hack” and underscores why U.S. users are being urged by security experts to scrutinize security alerts, check domains carefully and avoid installing apps from pop‑up prompts rather than official app stores.