- Cybercriminals are increasingly exploiting mobile browsers
- Compromised WordPress sites lead to the installation of malicious PWAs
- Both site owners and users can mitigate the threat
There is a growing trend in client-side attacks, as cybercriminals are increasingly exploiting mobile browsers to bypass traditional security controls.
This is according to the latest “Client-Side Attack Report Q2 2025”, published by security researchers c/side. A “client-side” attack is a type of security breach that occurs on the user’s device (typically on their browser or mobile app), rather than on the server.
Based on extensive research of the market (compromised domains, autonomous crawling, AI-driven script analysis, and behavioral review of third-party JavaScript dependencies), the report says cybercriminals are injecting malicious code into service workers and the Progressive Web App (PWA) logic of popular WordPress themes.
Weaker sandboxing
Once a mobile user visits an infected site, the browser viewport is hijacked using a full-screen iframe. The victim is then lured into installing a fake PWA, often disguised as an adult-themed APK or a crypto app, hosted on rotating subdomains.
Primarily, the apps are designed to persist on the device beyond the browser session and act as a long-term foothold. However, they can also steal login credentials (by spoofing login pages or browser prompts), intercept cryptocurrency wallet interactions, and drain assets by injecting malicious scripts. In some cases, the apps can hijack session tokens, as well.
The criminals are using different techniques to evade detection, including fingerprinting and cloaking techniques that prevent the payload from being triggered in sandboxed environments, or by automated scanners.
The mobile platform is being increasingly targeted because web browsers have weaker sandboxing and limited runtime visibility, which makes them more vulnerable and susceptible to attacks. At the same time, c/side says users are more likely to trust full-screen prompts, or install suggested apps, without suspecting anything.
To mitigate the risk, there are things both developers and end-users can do, c/side says. Devs and site operators should monitor and secure third-party scripts, since these are a common delivery mechanism for malicious payloads. C/side also advocates for real-time visibility into what scripts are executing in the browser, rather than relying solely on server-side protections.
Users, on the other hand, should be careful when installing Progressive Web Apps from unfamiliar sources, and should be skeptical of unexpected login flows, particularly those that seem to come from Google.
