Mobile Users Targeted by Hackers Exploiting PWA JavaScript to Evade Browser Protections

A new wave of cyberattacks is targeting mobile users by exploiting Progressive Web App (PWA) technology, leveraging sophisticated JavaScript injections to bypass traditional browser security controls.

Security researchers have uncovered an ongoing injection campaign that utilizes third-party JavaScript to redirect unsuspecting visitors of compromised websites primarily disguised as Chinese online novel reading platforms to malicious adult-content PWA scams.

Attackers Employ Progressive Web Apps

The core innovation in this campaign is the use of full-fledged PWA landing pages, which are engineered to extend user engagement and circumvent standard browser security features such as popup blockers and content filters.

Unlike conventional phishing techniques that rely on static redirects or deceptive overlays, the attackers here deploy JavaScript payloads tailored specifically for mobile devices, ensuring that desktop users and automated crawlers are excluded from the attack flow.

Upon detecting a mobile device through user agent string analysis, the injected script first checks for the presence of a viewport meta tag, which is vital for correct rendering on mobile screens.

If absent, the script programmatically inserts the required tag to guarantee optimal display of the malicious overlay.

The attack then overlays a dark, semi-transparent element across the page, displaying an image fetched from a seemingly legitimate source (toutiaoimg[.]com) while disguising its true intent.

The user interface includes a close button, but this is a bait-and-switch mechanism: clicking either the overlay image or the close icon immediately triggers a redirect to a fraudulent adult gambling PWA hosted on domains such as xjdm166[.]com.

Traffic analysis indicates significant victim engagement with these domains, suggesting a widespread, ongoing campaign.

Third-Party JavaScript Injections

Asset loading and content delivery are distributed across multiple domains. The initial loader and associated assets are served from xxsmad6[.]com, while the final scam destination utilizes xjdm166[.]com.

The image resources masquerade as benign assets to further obfuscate the attack.

Notably, the injected code is now heavily obfuscated and encrypted, complicating detection and analysis by both traditional security tools and manual review.

Unlike prior variants, the current payloads use advanced string encryption and dynamic DOM manipulation.

Researchers have traced these attacks to compromised Chinese-language websites with titles promoting free, ad-free, or top-ranked novel content.

This includes sites like Haitang Literature Network and Shenma Novel Network, which have been surreptitiously injected with malicious JavaScript loaders.

The attack flow remains highly effective due to its mobile focus; by filtering out desktop traffic, it sidesteps many automated scanning mechanisms and reduces the likelihood of early detection.

Once the overlay is triggered, further technical inspection reveals that obfuscated JavaScript dynamically assembles HTML elements, injects malicious redirect handlers, and leverages randomization to evade static signature-based defenses.

According to the Report, The PWA destination itself mimics well-known adult sites with the objective of luring users into downloading fake applications, which in observed cases have included Android and iOS malware samples.

These mobile malware samples have so far evaded detection by most antivirus solutions, with only a small fraction flagged on platforms like VirusTotal.

Mitigating such attacks requires a multifaceted approach. Website operators are urged to rigorously review all third-party scripts, particularly those from external or unfamiliar sources.

Implementing strict Content Security Policies (CSP) can help limit unauthorized script execution.

Runtime monitoring for anomalous changes such as unexpected overlays, new meta tags, or outbound requests to suspicious domains is critical for early detection.

As the abuse of PWA technology for malicious purposes escalates, the security community must pay increased attention to this evolving threat vector, especially as attackers refine their techniques to evade both user and automated defenses.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates