A new injection campaign has been identified that exploits third-party JavaScript to redirect mobile users to a Chinese adult-content Progressive Web App (PWA) scam. The attack specifically targets mobile devices, injecting a viewport meta tag and an ad overlay with click-hijacking functionality. The scam utilizes PWAs to increase user retention and bypass basic browser protections. The compromised websites are disguised as novel reading platforms, with the malicious code now being encrypted. The attack flow involves an initial loader script, which triggers the redirect on mobile devices while ignoring desktop visits. The payload script ensures mobile rendering, creates an overlay with deceptive elements, and opens the scam site in a new tab upon interaction. Author: AlienVault
Related Tags:
pwa
T1606.002
T1608.004
scam
T1204.001
China
mobile
T1185
T1189
Associated Indicators:
https://xxsmad6.com/s.php?g=1&t=2&p=1388&i=
https://www.akav50.top/list/32xdq1pd
https://www.akav50.top/list/q5o9gx5w
https://www.akav50.top/list/92qlr9pn
https://www.akav50.top/list/1dpy76pv
https://xxsmad6.com/static/union/images/b-5.png’
https://xxsmad6.com/static/union/images/close.png’
https://www.akav50.top/list/mqp10w2x
https://xjdm166.com/html/#/i/home