A sophisticated malware campaign has emerged targeting mobile device users through Progressive Web Applications (PWAs), representing an alarming shift in attack methodology.
Security researchers have identified a coordinated effort originating from China that exploits third-party JavaScript injections to redirect unsuspecting mobile users to malicious sites disguised as adult content platforms.
The campaign specifically filters for mobile devices, ignoring desktop traffic to reduce detection rates while maximizing impact on vulnerable smartphone and tablet users who typically have fewer security protections in place.
The attack chain begins when users visit compromised websites, primarily Chinese-language novel reading platforms with injected malicious code.
.webp)
This code creates an invisible overlay that hijacks user clicks, redirecting them to PWA-based scam sites that mimic popular adult content platforms.
What makes this attack particularly concerning is its use of the PWA format, which allows the malicious site to appear more legitimate while potentially requesting additional permissions from the user’s browser.
Cside.dev researchers identified this campaign on May 20th, 2025, noting its sophisticated use of obfuscation techniques to evade traditional detection methods.
“This represents an evolution in mobile-targeted attacks,” explained a senior security analyst at Cside.dev.
“By leveraging PWAs instead of traditional websites, attackers gain persistence advantages while making their malicious activities harder to detect through conventional security tools.”
The compromised websites contain encrypted JavaScript code that dynamically injects malicious elements only when certain conditions are met.
This selective targeting helps the campaign remain undetected for longer periods while focusing exclusively on vulnerable mobile users.
Injection flow
The campaign has already affected numerous websites, particularly those catering to Chinese-language novel readers.
.webp)
The infection mechanism employs a multi-stage approach to compromise mobile devices. When a mobile user visits an infected site, the attack first verifies the visitor is using a mobile device through user-agent detection as shown in this code snippet:
(function () {
let flag = /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent);
if(!flag){ return false; }
// Attack continues only for mobile devices
// ...
})()After confirming the target is using a mobile device, the malicious code injects a viewport meta tag if one doesn’t exist, ensuring the attack renders properly on mobile screens.
It then creates a full-screen semi-transparent overlay with deceptive elements including a fake close button.
Both the main image and close button are rigged to redirect users to malicious domains when clicked.
The script employs encryption to hide its true purpose, with deobfuscated code revealing connections to domains like xxsmad6[.]com for loading resources and xjdm166[.]com as the final landing page.
These domains host fake versions of popular adult websites that prompt users to download malicious Android or iOS applications.
What distinguishes this campaign is its exploitation of PWA capabilities to create a more persistent and believable user experience.
Unlike traditional phishing sites, the PWA format allows the malicious application to remain in the user’s browser storage, potentially enabling longer-term access to the victim’s device through cached components and background execution capabilities that standard web pages lack.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Account Takeover Protection Tools in 2025")
