Researchers Expose PWA JavaScript Attack That Redirects Users to Adult Scam Apps


Cybersecurity researchers have discovered a new campaign that employs malicious JavaScript injections to redirect site visitors on mobile devices to a Chinese adult-content Progressive Web App (PWA) scam.

“While the payload itself is nothing new (yet another adult gambling scam), the delivery method stands out,” c/side researcher Himanshu Anand said in a Tuesday analysis.

“The malicious landing page is a full-blown Progressive Web App (PWA), likely aiming to retain users longer and bypass basic browser protections.”

The campaign is designed to explicitly filter out desktop users, primarily focusing on mobile users. The activity has been described as a client-side attack that uses third-party JavaScript and only triggers on mobile devices.


The use of PWAs, a type of application built using web technologies that provide a user experience similar to that of a native app built for a specific platform like Windows, Linux, macOS, Android, or iOS, is seen as an attempt to sidestep security protections.


The attacks involve injecting websites with JavaScript code that acts as a loader to trigger the redirection when the site is visited from devices running on Android, iOS, and iPadOS, among others.

The redirections are designed to lead the users to adult content websites or other intermediary redirect pages advertising apps for viewing adult content. The pages subsequently take the victims to a fake app store listing for the supposed Android and iOS apps in question.

“The use of PWAs suggests attackers are experimenting with more persistent phishing methods,” Anand said. “The mobile-only focus allows them to evade many detection mechanisms.”

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.