Security Researchers Uncover PWA JavaScript Vulnerability Leading to Redirects to Malicious Adult Fraudulent Applications

Cybersecurity researchers have uncovered a new campaign that utilizes malicious JavaScript injections to redirect mobile device users to a fraudulent Chinese adult-content Progressive Web App (PWA) scam.

The payload involved in the attack, while not groundbreaking—as it represents yet another adult gambling scam—presents a notable delivery technique. According to c/side researcher Himanshu Anand, the malicious landing page operates as a fully functional Progressive Web App, designed to engage users for extended periods and circumvent basic browser security measures.

This campaign specifically targets mobile users, systematically filtering out desktop users. It is characterized as a client-side attack that employs third-party JavaScript, only activating when accessed from mobile devices.

The deployment of PWAs, which are applications built using web technologies that mimic the user experience of native applications across platforms such as Windows, Linux, macOS, Android, and iOS, indicates a strategic attempt to bypass established security protocols.

The attacks involve the injection of JavaScript code into legitimate websites, which acts as a loader to initiate the redirection when the site is accessed from devices operating on Android, iOS, or iPadOS, among others.

Once redirected, users may find themselves on adult content websites or intermediary pages advertising applications for adult content viewing. Ultimately, these pages lead to counterfeit app store listings for the fictitious Android and iOS applications.

Anand notes that the adoption of PWAs could suggest that attackers are experimenting with more persistent phishing tactics. The exclusive focus on mobile platforms enables them to evade numerous detection mechanisms that would otherwise protect users on desktop systems.