March 21, 2026

By PhishClean Research Team - browser security guidance based on phishing analysis, defensive research, and product work.

Fake Google Security Checks Are Now Installing Browser-Based Phishing Apps

Recent reporting from Malwarebytes and BleepingComputer describes a fake Google security page that leans on PWA installation and permission prompts to turn the browser into a phishing and surveillance tool. The attack is unsettling precisely because it does not need a browser exploit. It needs your trust.

According to the reports, the malicious site walks victims through a security check that asks them to install a Progressive Web App, enable notifications, and approve additional browser permissions. Once that happens, the attacker gains a far more persistent foothold than a normal phishing page would provide.

The browser does not have to be broken for this to work. The attacker only needs the victim to treat the page like a real security workflow.

This is not just another fake login page. Permission prompts, push notifications, and browser-installed apps can all become part of the phishing chain.

Why the PWA angle matters

People treat a website differently from an app. When the malicious page is installed as a PWA, the normal browser chrome disappears and the experience feels more like a legitimate security tool. That small shift in presentation matters because it removes some of the visual cues users rely on when deciding whether a page is real.

Why this kind of attack is so effective

Attackers break the compromise into steps that feel reasonable on their own. The page is framed as account protection, each permission request is explained as a security feature, and notification permission creates a channel to pull the victim back in later.

Users are not being rushed into one obvious mistake. They are being guided through a series of helpful steps that feel like normal account hardening.

What users should remember

Legitimate Google account security tools do not arrive as random pop-up pages asking you to install a special app.
If a page claiming to protect your account asks for contact access, clipboard access, or a strange companion app, stop.
Notification permission can be the attacker's way to keep the phishing flow alive long after the tab is closed.
Once installed, a fake PWA can feel more like software than a webpage, which is exactly why the trick works.

What to do if you were affected

Remove the installed PWA or home-screen app immediately, revoke notification permissions, clear site data, and review any passwords or MFA methods that may have been exposed while the app was present. Also check for companion mobile apps or unexpected device-admin settings if the site pushed you toward Android installation.

Source note

This post is based on Malwarebytes' report Inside a fake Google security check that becomes a browser RAT and related coverage from BleepingComputer.

Frequently Asked Questions

Why is a fake Google security check so convincing?

Because it borrows the look and language of a real account-security flow and then asks for permissions in steps that are framed as protective actions.

What makes the PWA angle important?

A Progressive Web App can run in its own window without the usual address-bar context, which makes the fake experience feel more like a native security tool than a webpage.

What should users do if they installed a suspicious security PWA?

Remove the app, revoke notification permissions, clear site data, change any passwords or MFA methods exposed during the compromise, and check for companion mobile apps or unknown device-admin settings.

Catch risky permission flows before they feel routine

PhishClean helps detect suspicious pages and browser-level signals before a fake security check turns into a persistent foothold.

Install PhishClean Free

Share or Save This Guide

If this helped, save it for later, share it with someone who would benefit from it, or subscribe for new browser-security guides from PhishClean.