A sophisticated phishing campaign is leveraging a website disguised as a Google Account security page to distribute what researchers describe as one of the most fully featured browser-based surveillance toolkits observed in the wild.
The operation uses the domain google-prism[.]com, which is routed through Cloudflare’s content delivery network. The attack does not rely on software exploits or browser vulnerabilities, instead, it attempts to convince victims that they are responding to a genuine Google security alert.
The phishing page walks targets through a four-step “security checkup” process. Victims are first prompted to install the site as a Progressive Web App (PWA), allowing it to run in a standalone window without a visible browser address bar. Next, the site requests permission to send notifications under the pretense of delivering “security alerts.” Granting this access gives attackers a persistent communication channel that functions even when the app is closed.
The third step abuses the Contact Picker API, a legitimate browser feature intended to help users share contacts with trusted web applications. Victims are asked to select contacts to “protect,” after which the interface displays confirmation messaging. Network analysis shows the selected data is transmitted directly to the attacker-controlled domain.
The final step requests GPS location data, claiming it is needed to verify identity from a trusted location. Detailed geolocation data, including latitude, longitude, altitude, heading, and speed, is then exfiltrated.
According to MalwareBytes researchers, the visible page script monitors clipboard activity, searching for one-time passwords and cryptocurrency wallet addresses. On supported browsers, it attempts to intercept SMS verification codes via the WebOTP API, builds a device fingerprint, and polls a command endpoint every 30 seconds for instructions.
Notably, the service worker component persists even after the browser tab is closed. If notification permissions were granted, attackers can silently wake the service worker, execute background tasks, or trigger data uploads without reopening the app. Stolen data can be queued locally if the device goes offline and automatically transmitted when connectivity resumes.
The toolkit also includes a WebSocket-based relay that effectively turns the victim’s browser into a proxy. Attackers can route arbitrary web requests through the victim’s network, potentially bypassing IP-based access controls and making traffic appear to originate from the victim’s residential or corporate connection. A built-in port scanner sweeps internal network ranges using timing-based techniques to identify live hosts. Additionally, the system allows operators to execute arbitrary JavaScript on the victim’s device via remote commands.
For users who complete every step, the web layer delivers a second-stage payload, an Android APK disguised as a “critical security update.” The app requests 33 permissions, including access to SMS messages, call logs, contacts, microphone input, and accessibility services. It registers as a device administrator, installs a boot receiver to run on startup, and schedules restart mechanisms for persistence.