Cybersecurity experts have uncovered a new scam targeting Gmail users that disguises itself as a Google account security tool designed to protect email accounts.
Researchers at Malwarebytes Labs discovered a malicious website that closely mimics Google's official account security check and guides victims through a four-step process that appears legitimate.
Instead of protecting accounts, the fake tool quietly collects sensitive information that attackers can later use to break into Gmail and other Google services.
Hackers are attempting to direct victims to the fraudulent page through phishing emails, text messages, and malicious pop-ups claiming a user's Google account requires immediate security verification.
Once on the site, victims are prompted to install what appears to be a security tool, which can give cybercriminals access to the device's contacts, real-time GPS location, and clipboard data.
'When installed as a PWA (Progressive Web App), the browser address bar disappears,' Malwarebytes researchers explained in a blog post. 'The victim sees what looks and feels like a native Google app.'
Security analysts warn that the malicious tool can also intercept one-time verification codes used for two-factor authentication, which are often required to log into Gmail accounts.
In some cases, the attack may also install additional software capable of recording keystrokes, potentially capturing usernames, passwords, and other sensitive information typed on the device.
Researchers at Malwarebytes Labs discovered a malicious website that closely mimics Google's official account security check and guides victims through a four-step process that appears legitimate.
'Once connected, the attacker can route arbitrary web requests through the victim's browser as if they were browsing from the victim's own network,' Malwarebytes researchers said.
They also noted that Google does not conduct security checkups through unsolicited pop-up pages.
'If you receive an unexpected 'security alert' asking you to install software, enable notifications, or share contacts, close the page,' the team shared.
'Legitimate account security tools are accessed directly through your Google Account at myaccount.google.com.'
The team at Malwarebytes Labs said the fake site walks users through four steps that appear to improve their account security but are actually designed to give attackers access to sensitive information.
First, victims are prompted to 'install' what looks like Google's security tool, which is added to their device as a progressive web app that behaves like a legitimate application.
Next, the site asks users to enable notifications, claiming this will allow them to receive important security alerts.
These permissions allow attackers to maintain a direct communication channel with the victim's device, even when the fake app is not open.
The third step asks users to share contacts from their phone, presenting the action as a way to 'protect' them.
After victims select contacts, the page displays a confirmation message suggesting the contacts are secured, but researchers found the information is actually sent directly to a server controlled by the attackers.
Finally, the site requests access to the user's GPS location, claiming it is needed to verify the account from a trusted location.
However, the request can collect detailed location data, including latitude, longitude, altitude, direction and movement speed, which is then transmitted to the attackers.
According to security analysts, the fake tool can also intercept one-time verification codes used for two-factor authentication, which are often required to log in to Gmail and other Google services.