Fake Google security page can turn your browser into a spying tool
A new phishing scam is tricking people into installing malware by pretending to be a Google security check. The page looks convincing and tells you that your Google account needs additional protection. It walks you through a simple setup process that appears to strengthen your security and protect your devices.
If you follow those steps, you may end up installing what looks like a harmless security tool. In reality, security researchers say the page installs a malicious web app that can spy on your device. It can steal login verification codes, watch what you copy and paste, track your location and quietly send internet traffic through your browser.
The most troubling part is that nothing is technically hacked. Instead of exploiting a software flaw, attackers simply trick you into granting the permissions they need. Once that happens, your own browser can start working for them without you realizing it.
Sign up for my FREE CyberGuy Report. Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
THE #1 GOOGLE SEARCH SCAM EVERYONE FALLS FOR
Security researchers at Malwarebytes, a cybersecurity company, recently discovered a phishing website that pretends to be part of Google's account protection system. The site uses the domain google-prism[.]com and presents what looks like a legitimate security page asking you to complete a short verification process. Visitors are told they should complete a four-step setup to improve their account protection. The page explains that these steps will help secure your Google account and protect your devices from threats. During the process, the site asks you to approve several permissions and install what it claims is a security tool.
The tool it installs is actually a Progressive Web App. This type of application runs through your browser but behaves like a regular app on your computer. It opens in its own window, can send notifications and can run tasks in the background. Once installed, the malicious web app can collect contacts, read information you copy to your clipboard, track GPS location data and attempt to capture one-time login codes sent to your phone. These codes are commonly used when you sign in to accounts that use two-factor authentication.
The fake security page may also offer an Android companion app described as a "critical security update." Researchers found that this app requests 33 permissions, including access to text messages, call logs, contacts, microphone recordings and accessibility features. Those permissions give attackers the ability to read messages, capture keystrokes, monitor notifications and maintain control over parts of the device. Even if the Android app is never installed, the web app alone can still collect sensitive information and quietly run activity through your browser.
The scam works because it looks like something you would normally trust. Many people expect security alerts from the services they use, especially when it comes to protecting email or cloud accounts. Attackers take advantage of that trust by presenting the fake page as a helpful security feature. When you approve the permissions and install the web app, you are essentially giving the attackers access to certain parts of your device. One of the main things they try to capture is one-time passwords. These are the short codes you receive when logging in to accounts that require two-factor authentication.
If attackers manage to capture those codes while also knowing your password, they may be able to break into your accounts. That could include your email, financial services, or cryptocurrency wallets, depending on which accounts you use. The malware also watches what you copy and paste. Many people copy cryptocurrency wallet addresses before sending digital currency, and those addresses can be valuable to criminals. The malicious app can collect that information and send it back to the attackers.
Another feature allows attackers to route internet requests through your browser. This means they can run online activity through your device so it appears to come from your home network. The app can also send notifications that look like security alerts or system warnings. When you click those notifications, the app opens again and gains another opportunity to capture information such as login codes or clipboard data.
After learning about the phishing campaign, we asked Google about the malicious site and whether users are protected.
A Google spokesperson told CyberGuy that several built-in security systems are designed to stop threats like this before they cause harm.
"We can confirm that Safe Browsing in Chrome warns any user who tries to visit this site. Chrome also shows a confirmation dialog whenever anyone attempts to download an APK. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services."
Google also said that its current monitoring shows no apps containing this malware are available on the Google Play Store.
ANDROID MALWARE HIDDEN IN FAKE ANTIVIRUS APP
Even if malicious apps are installed from outside official stores, Google says Android devices still have an additional layer of protection. Google Play Protect can warn users or block apps known to exhibit malicious behavior, including apps installed from third-party sources.
However, it is important to note that Google Play Protect may not be enough. Historically, it isn't 100% foolproof at removing all known malware from Android devices, which is why we recommend additional strong antivirus software to detect malicious downloads, suspicious browser activity and phishing attempts before they cause serious damage. It acts as an early warning system that helps block dangerous apps and websites before they gain access to your device or your data.
Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com.
If you ever come across a suspicious "security check" like this, a few simple habits can help you avoid falling into the trap and protect your accounts and devices.
Google does not ask you to install security tools through pop-ups or unfamiliar websites. If a page claims your account needs a security check, close the tab and go directly to Google's official account page by typing the address yourself. Visiting the real account settings page prevents attackers from redirecting you to a fake site.
Phishing pages often use domains that look similar to real companies. Attackers rely on people clicking quickly without paying attention to the address bar. If the website address is not an official Google domain, do not trust it. Even a small change in the spelling can indicate a fake site designed to steal information.
If you installed an app through a website and it opens like a standalone program, check your browser's installed apps or extensions list. Remove anything you do not recognize or do not remember installing. Uninstalling the app immediately prevents it from collecting more information or running commands through your browser.
Researchers say the malicious Android app may appear as "Security Check" or "System Service." If you see unfamiliar apps with these names, review the permissions they request and remove them if they look suspicious. Apps asking for extensive permissions such as SMS access, accessibility features, and microphone control should always be investigated.
A password manager helps you create and store strong, unique passwords for every account you use online. If attackers obtain one password, they will not automatically gain access to other accounts. Password managers can also help prevent you from entering credentials on fake sites because they usually refuse to auto-fill on lookalike domains.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com
Two-factor authentication (2FA) adds an extra layer of protection beyond your password. Even though this attack tries to capture SMS verification codes, many services allow you to use authenticator apps instead. These apps generate login codes on your device and make it much harder for attackers to intercept them.
If you think you interacted with a suspicious security page, keep a close eye on your accounts over the following days. Watch for login alerts, password reset emails, or transactions you do not recognize. Acting quickly after suspicious activity can help prevent attackers from gaining full control of your accounts.
Scammers often gather personal details from data broker sites to make phishing messages look more convincing. A data removal service can help remove your personal information from many of those databases, reducing the amount of information criminals can use to impersonate companies or craft targeted scams.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com
Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.
Attackers are changing tactics. Instead of breaking into systems through technical flaws, they are relying on convincing security messages that persuade people to install tools themselves. All of us rely on familiar brands like Google when making security decisions, and attackers know that. Preventing these scams will likely require faster action against impersonation sites and stronger safeguards around what web apps are allowed to do once installed.
Should companies like Google be required to automatically block lookalike domains that pretend to run official security checks before people fall for them? Let us know by writing to us at Cyberguy.com
Sign up for my FREE CyberGuy Report. Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
Copyright 2026 CyberGuy.com. All rights reserved.