Hackers Target Mobile Users with PWA-Based Malware Attack

How the Attack Works

The attack starts when users visit hacked websites. Most of these are Chinese-language platforms for reading novels. Hidden malicious code on these sites creates an invisible layer on the screen. When users click anywhere, they are sent to fake PWA sites that look like adult websites.

PWAs help the fake sites appear more real and can also request special permissions from the user’s browser. This makes the attack harder to detect and more dangerous.

The cyber security group Cside.dev discovered the campaign on May 20, 2025. They noted that the attackers use advanced methods to hide their actions, making it difficult for normal security tools to find the malware.

Targeting Only Mobile Devices

The malware checks whether a visitor is using a mobile device. If not, the attack stops immediately. This helps the hackers stay hidden and focus only on users who are less protected.

(function () {
    let flag = /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent);
    if (!flag) { return false; }
    // Attack continues only for mobile devices
})();

If the script finds a mobile user, it adds a viewport tag to ensure the site displays correctly. It then adds a full-screen, semi-transparent overlay with fake buttons. Clicking these buttons sends users to harmful websites.

Fake Sites and Malicious Downloads

The script uses encryption to hide its real purpose. When decoded, the code shows connections to domains like xxsmad6[.]com and xjdm166[.]com. These sites host fake adult platforms that trick users into downloading harmful apps for Android and iOS.

What makes this attack especially dangerous is the use of PWA technology. Unlike regular phishing websites, PWAs can stay active in the browser’s storage. This gives the attacker longer access to the user’s device through cached files and background tasks.