Mobile-Only PWA Scam Uses Malicious JavaScript to Lure Victims to Fake Adult Content Apps

Cybersecurity researchers have identified a new malicious campaign that uses JavaScript injections to reroute mobile device users to a fraudulent Chinese adult-content Progressive Web App (PWA).

Although the payload is a familiar adult gambling scam, the attack vector is notably distinct, according to c/side researcher Himanshu Anand, who analyzed the campaign.

The threat actors deploy a client-side attack that relies on third-party JavaScript, which activates only when accessed via mobile devices, thereby bypassing desktop users entirely. This selective targeting enables the attackers to avoid many traditional detection systems.

The core tactic involves injecting web pages with malicious JavaScript code that identifies the user's platform (Android, iOS, or iPadOS) and redirects them to adult content sites or intermediary pages that falsely promote mobile apps for viewing such material.

The redirection leads to a fraudulent app store page, which mimics legitimate listings for Android and iOS, tricking victims into downloading bogus apps.

The scam leverages Progressive Web App (PWA) technology, which is commonly used to create web apps with the look and feel of native mobile applications. In this case, attackers use it to retain users for longer periods and bypass basic browser security measures.

Anand pointed out that the use of PWAs in phishing attacks is an emerging trend, as it increases persistence and evades conventional detection tools, especially when focused solely on mobile traffic.

This campaign underscores the growing sophistication of mobile-specific scams and the abuse of modern web technologies like PWAs for phishing and user deception.