Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party JavaScript to deliver a Chinese adult-content Progressive Web App (PWA) scam.

This attack, which redirects users to sites like hxxps://xjdm166[.]com, leverages the unique capabilities of PWAs to retain users longer and evade traditional browser security mechanisms.

Unlike typical phishing attempts, this campaign employs a full-blown PWA as its landing page, indicating a shift toward more persistent and deceptive delivery methods.

Security researchers note that PWAs, often overlooked in client-side security, are increasingly becoming a vector for such exploits due to their ability to operate with app-like functionality directly in browsers.

Mobile-Only PWA Scams on the Rise

The attack begins with the injection of malicious scripts into compromised websites, often disguised as novel reading platforms with titles like “Haitang Literature Network” and “Shenma Novel Network.”

These scripts, such as the loader hosted at hxxps://xxsmad6[.]com, are designed to filter out desktop users and exclusively target mobile devices.

Once a mobile user accesses an infected site, the script checks for a viewport meta tag; if absent, it injects one to optimize mobile rendering.

Following this, it overlays a dark semi-transparent ad with deceptive visuals fetched from toutiaoimg[.]com, alongside a fake close button.

Clicking either the image or the button triggers a redirect to the PWA scam site in a new tab, demonstrating a classic bait-and-switch tactic.

The use of external resources from domains like xxsmad6[.]com for assets and xjdm166[.]com for the final payload underscores the multi-layered nature of this campaign.

Additionally, the obfuscated code found in newer iterations of the attack, which decrypts into links to adult content zones on akav50.top, reveals an intent to further mask malicious activity.

Technical Breakdown

The campaign’s mobile-only focus allows it to bypass many detection mechanisms that rely on desktop-based analysis or server crawlers.

Security experts have observed significant traffic to these malicious domains, suggesting a widespread operation.

Furthermore, during analysis, glitches in the compromised web applications exposed hidden frames, leading to fake adult websites mimicking well-known platforms.

These sites ultimately push malware downloads for Android and iOS devices, with samples showing alarmingly low detection rates on platforms like VirusTotal only 3 out of 63 or 65 vendors flagged the threats.

This low detection rate highlights the stealth and sophistication of the attack, as attackers continuously adapt their tactics to exploit gaps in current security frameworks.

To mitigate this threat, website owners are urged to rigorously review and sanitize third-party scripts, implement strict Content Security Policies (CSP) to curb inline script execution, and monitor runtime behavior for unexpected meta tags or external requests.

This campaign serves as a stark reminder of the evolving landscape of client-side attacks, where PWAs are becoming a potent tool for cybercriminals aiming to exploit mobile users with increasing impunity.

Indicators of Compromise (IOC)