A fake Google security page can turn your browser into a spy tool
NEWNow you can listen to News articles!
A new phishing scam is tricking people into installing malware by impersonating a Google security check. The page looks convincing and tells you that your Google account needs additional protection. It guides you through a simple setup process that appears to strengthen your security and protect your devices.
If you follow those steps, you may end up installing what seems like a harmless security tool. In reality, security researchers say that the page installs a malicious web application that can spy on your device. It can steal login verification codes, watch what you copy and paste, track your location, and silently send Internet traffic through your browser.
The most worrying part is that technically nothing has been hacked. Instead of exploiting a software flaw, attackers simply trick you into granting them the permissions they need. Once that happens, your own browser can start working for them without you even realizing it.
Sign up to receive my FREE CyberGuy report. Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
HE NO. 1 GOOGLE SEARCH SCAM EVERYONE FALLS INTO
The fake site imitates a Google security page and prompts visitors to complete a quick “account protection” setup. (AP Photo/Don Ryan, File)
All about the fake Google security page
Security researchers at Malwarebytes, a cybersecurity company, recently discovered a phishing website purporting to be part of Google’s account protection system. The site uses the google-prism domain.[.]com and presents what looks like a legitimate security page that asks you to complete a short verification process.
Visitors are told they must complete a four-step setup to improve their account protection. The page explains that these steps will help you protect your Google account and devices from threats. During the process, the site asks you to approve various permissions and install what it claims is a security tool.
The tool you install is actually a progressive web application. This type of application runs through your browser but behaves like a normal application on your computer. It opens in its own window, can send notifications and run tasks in the background.
Once installed, the malicious web application can collect contacts, read information that you copy to your clipboard, track GPS location data, and attempt to capture unique login codes sent to your phone. These codes are commonly used when you sign in to accounts that use two-factor authentication.
The fake security page may also offer an Android companion app described as a “critical security update.” Researchers discovered that this app requests 33 permissions, including access to text messages, call logs, contacts, microphone recordings, and accessibility features.
Those permissions give attackers the ability to read messages, capture keystrokes, monitor notifications, and maintain control over parts of the device. Even if the Android app is never installed, the web app alone can collect sensitive information and silently run the activity through your browser.
How it works and why it is important to you
The scam works because it looks like something you would normally trust. Many people expect security alerts from the services they use, especially when it comes to protecting email or cloud accounts. Attackers take advantage of that trust by presenting the fake page as a useful security feature. When you approve permissions and install the web app, you’re essentially giving attackers access to certain parts of your device. One of the main things they try to capture is one-time passwords. These are the short codes you receive when signing in to accounts that require two-factor authentication.
If attackers manage to capture those codes and at the same time know your password, they may be able to access your accounts. That could include your email, financial services, or cryptocurrency wallets, depending on which accounts you use. Malware also watches what you copy and paste. Many people copy cryptocurrency wallet addresses before sending digital currency, and those addresses can be valuable to criminals. The malicious application can collect that information and send it to attackers.
Another feature allows attackers to route Internet requests through your browser. This means they can run online activity through your device so that it appears to be coming from your home network. The app may also send notifications that look like security alerts or system warnings. When you click on those notifications, the app opens again and you have another chance to capture information like login codes or clipboard data.
Google says built-in protections can block threat
After learning about the phishing campaign, we asked Google about the malicious site and if users are protected.
A Google spokesperson told CyberGuy that several built-in security systems are designed to stop threats like this before they cause harm.
“We can confirm that Safe Browsing in Chrome warns any user who tries to visit this site. Chrome also displays a confirmation dialog whenever someone tries to download an APK. Android users are automatically protected against known versions of this malware using Google Play Protect, which is enabled by default on Android devices with Google Play Services.”
Google also said that its current monitoring shows that there are no apps containing this malware available on the Google Play Store.
MALWARE FOR ANDROID HIDDEN IN A FAKE ANTI-VIRUS APP
Even if malicious apps are installed from outside official stores, Google says Android devices still have an extra layer of protection. Google Play Protect can warn users or block apps that are known to exhibit malicious behavior, including apps installed from third-party sources.
However, it is important to note that Google Play Protect may not be enough. Historically, it is not 100% foolproof in removing all known malware from Android devices, so we recommend additional powerful antivirus software to detect malicious downloads, suspicious browser activity, and phishing attempts before they cause serious damage. It acts as an early warning system that helps block dangerous apps and websites before they access your device or data.
During the process, users are asked to approve permissions and install what appears to be a security tool. (iStock)
Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
7 ways to protect yourself from fake security pages
If you ever encounter a suspicious “security check” like this, a few simple habits can help you avoid falling into the trap and protect your accounts and devices.
1) Never perform security checks from random websites
Google does not ask you to install security tools through pop-ups or unknown websites. If a page claims that your account needs a security check, close the tab and go directly to the official Google account page by typing the address yourself. Visiting the real account setup page prevents attackers from redirecting you to a fake site.
2) Check website addresses carefully before trusting them.
Phishing pages often use domains that look like real companies. Attackers rely on people clicking quickly without paying attention to the address bar. If the website address is not an official Google domain, do not trust it. Even a small change in spelling can indicate that it is a fake site designed to steal information.
3) Remove suspicious web applications from your browser
If you installed an app through a website and it opens as a standalone program, check your browser’s list of installed extensions or apps. Delete anything you don’t recognize or remember installing. Uninstalling the app immediately prevents it from collecting more information or executing commands through your browser.
4) Check your Android phone for unknown apps
Researchers say the malicious Android app may appear as “Security Check” or “System Service.” If you see unknown apps with these names, review the permissions they request and remove them if they look suspicious. Apps that ask for extensive permissions, such as SMS access, accessibility features, and microphone control, should always be investigated.
5) Use a password manager for your accounts
A password manager helps you create and store strong, unique passwords for every account you use online. If attackers obtain a password, they will not automatically gain access to other accounts. Password managers can also help prevent you from entering credentials on fake sites because they typically refuse to auto-complete similar domains.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com
6) Enable two-factor authentication whenever possible
Two-factor authentication (2FA) adds an extra layer of protection beyond your password. Although this attack attempts to capture SMS verification codes, many services allow you to use authenticator applications. These apps generate login codes on your device and make it much more difficult for attackers to intercept them.
7) Monitor your accounts for unusual activity
If you think you’ve interacted with a suspicious security page, keep a close eye on your accounts over the next few days. Be on the lookout for login alerts, password reset emails, or transactions you don’t recognize. Acting quickly after suspicious activity can help prevent attackers from gaining full control of your accounts.
Pro Tip: Reduce How Easily Scammers Can Target You
Scammers often collect personal data from data broker sites to make phishing messages appear more convincing. A data removal service can help remove your personal information from many of those databases, reducing the amount of information that criminals can use to impersonate companies or craft targeted scams.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com
Get a free scan to find out if your personal information is already available on the web: Cybe rguy.com.
Researchers say the malicious web application could collect login codes, clipboard data, and other sensitive information. (Felix Zahn/Photothek via Getty Images)
Kurt’s Key Takeaway
The attackers are changing tactics. Instead of breaking into systems through technical flaws, they rely on compelling security messages that persuade people to install tools themselves. We all trust well-known brands like Google when making security decisions, and attackers know it. Preventing these scams will likely require quicker action against phishing sites and stricter safeguards on what web applications can do once installed.
Should companies like Google be required to automatically block similar domains that claim to perform official security checks before people fall for them? Let us know by writing to us at Cyberguy.com
CLICK HERE TO DOWNLOAD THE News APP
Sign up to receive my FREE CyberGuy report. Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Copyright 2026 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and gadgets that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.