Hackers Use PWAs to Target Mobile Users in China Scam

A newly uncovered malware campaign is targeting mobile users through Progressive Web Applications (PWAs), exploiting browser protections and JavaScript to evade detection. Discovered by researchers at Cside.dev, the attack originates from China and leverages compromised Chinese-language novel websites to inject malicious code that activates only on mobile devices.

The attack chain begins with users visiting infected sites, triggering a script that verifies the device type. Once confirmed as mobile, the malware displays an invisible overlay redirecting victims to malicious domains mimicking adult content platforms. These fake sites prompt users to install harmful Android or iOS apps under the guise of legitimate PWAs.

Researchers noted the campaign’s use of obfuscated and encrypted JavaScript, allowing dynamic payload delivery and extended persistence. The PWA format enables the malware to bypass traditional detection and gain access to browser storage, increasing its longevity on victims’ devices. The campaign underscores evolving threats targeting mobile platforms and browser-based security gaps.