Malwarebytes: Fake Google page distributes advanced browser surveillance toolkit

Cybersecurity provider Malwarebytes has warned that a fake Google Account security page is distributing "what may be one of the most fully featured browser-based surveillance toolkits we have observed in the wild", capable of infecting Windows, Apple, and Google Android devices.

The campaign begins with a page that appears to be a genuine Google Account security check, using Google's stylesheet and an official-looking domain. Closing the browser tab stops the visible page script, but the service worker remains registered. "If the victim granted notification permissions, the attacker can still wake it silently, push a new task, or trigger a data upload without reopening the app.

And if the victim ever opens it again, collection resumes instantly." The malware also acts as a WebSocket relay and can be used as an HTTP proxy. Once connected, an attacker can route arbitrary web requests through the victim’s browser, bypassing IP-based access controls and funnelling traffic through the victim's IP address.

malwarebytes, fake google, google account, service worker, browser surveillance, websocket relay, http proxy, notification permissions, ip access, android