Updated March 1, as hackers take aim at Google’s security check feature, this warning to check your Gmail account has never been more important — but now you need to ensure that you are doing so safely. Here’s how all Google users can stay secure in the face of these ongoing attacks.
Just when you thought things couldn’t get any more critical, in terms of Google account security at least, with warnings of new attack campaigns targeting Gmail users, they do. A lot worse, in fact. How so? Well, my original article recommended using Google’s account security checkup tool as soon as possible, in light of new reports on an ongoing threat campaign aimed squarely at Gmail users. Now, however, it has been reported that hackers are targeting users of that very security check feature with a malicious fake that is “one of the most fully featured browser-based surveillance toolkits” seen by Malwarebytes security researchers. It is imperative, therefore, that you know what to look out for, what not to do and, critically, how to find and use the genuine article to help protect your account.
The Malicious Google Security Checkup That All Gmail Users Need To Know About
The timing of a report analyzing a new attack against Google users could not be any more imperfect while being perfect simultaneously. By which I mean that my recommendation to use Google’s security checkup tool, as ongoing attacks against Gmail users are confirmed, might appear to be devalued by the news that threat actors are using a site pretending to be that very tool in order to distribute a malicious spying tool. Actually, it is the opposite, in my never-humble opinion, as it reinforces the need for users to take responsibility for their own account security by using only official tools through official channels. Always go direct to the source, Google itself, by typing the URL into your web browser or using the options within a Google app you are already signed into.
“Disguised as a routine security checkup,” Malwarebytes researcher Stefan Dasic confirmed in a technically detailed analysis that the attack “walks victims through a four-step flow that grants the attacker push notification access, the device’s contact list, real-time GPS location, and clipboard contents—all without installing a traditional app.”
Not surprisingly, then, Malwarebytes has described this “cleverly disguised attack” as being “very nasty.” I’d go even further and say that it is dangerous in the extreme and something that needs to be on every Google user’s radar. I would say no more than any other fake tool, site or attack using similar tactics, but in this case, I think it merits special attention. “For victims who follow every prompt,” Dasic warned, “the site also delivers an Android companion package introducing a native implant that includes a custom keyboard (enabling keystroke capture), accessibility-based screen reading capabilities, and permissions consistent with call log access and microphone recording.”
The attack itself is relatively simple in design, not relying upon any exploit or browser vulnerability, but rather bad old-fashioned deception. It starts off as an in-browser prompt to install Google’s security checkup tool, which is then pinned to the Home Screen as progressive web app, running in its own window and without a browser bar. All of which is designed to look and feel like a native Google app.
Malwarebytes warned that the attack uses four steps, all of which are framed within the context of being required to enhance your security and protect your Google account, which is also your Gmail account.
- The prompt as described above.
- Confirm notification permissions in the guise of security alerts, allowing the attackers to maintain a functional communication channel when the app itself is not open.
- Another “security action” is prompted, to protect contacts, which actually sends these contact details directly to the attacker domain.
- A final prompt, purportedly to verify your identity in a trusted location, gets your GPS location data.
To cut a long story short, and I advise anyone of a technical bent to go read the full analysis, the malicious page script behind the fake security checkup will attempt to look for one-time passwords and crypto wallet addresses, intercept SMS verification codes and create a device fingerprint. When the page is closed, the service continues running to resume data collection, the user reopens it or when an attacker wakes it silently with a new task. Malwarebytes has a full list of how to delete the threat if you have already fallen victim, included in the linked report.
I have reached out to Google for a statement.
Why Gmail Users Should Still Use The Official Google Account Security Checkup Tool
While hack attacks continue to evolve at a pace, driven partly by the latest developments in AI, one thing is constant: your email account remains firmly in the crosshairs. With an estimated active user base of 2 billion, it should come as no surprise that Gmail ranks high on the list of cyberattack targets. Online support groups are full of users asking for help in recovering their accounts after falling victim, and a newly published report of ongoing attacks confirms just one of the dangers they are facing.
But all is not lost; there’s one easy-to-use Google weapon that can be aimed at those threats and preempt most attacks. Here’s what you need to know and do, right now.
Gmail Is Under Attack—Don’t Become A Victim
A February 26 report published by the Daily Mail has warned of an ongoing attack that uses Google account recovery prompts to target Gmail users. You only have to check out the Gmail subreddit to realize that such threats are not only commonplace, albeit coming in a variety of attack scenarios, but also have a very real-world impact upon users. Of course, Gmail isn’t the only email service to be hit by threat actors of all flavors, but it is, as already explained, a primary target because of its global popularity.
So far in 2026, I have already reported on AI attackers targeting Gmail via Chrome browser extensions, and on millions of Gmail usernames and passwords exposed in an infostealer log dump. Nobody knows when the next story will break, but what I do know is that you can protect yourself before it does.
Google said that it takes online security seriously, as you might expect. It also has several security precautions that it urges all users to adopt to best protect their Google accounts from attacks. Number one on that list is the aptly named Security Checkup, and Google recommends that you run this on a regular basis. I recommend that you do so today, right now, as you never know when an attacker could strike.
Gmail Users Should Run The Google Security Checkup Today
I always recommend that you open your Google account and click on the Security & sign-in option initially, as this presents a helpful overview of your existing security configurations on one screen. Information such as when you last changed your password, when the last security activity or alert occurred, what your recovery number is and so on. Right at the top of this screen, however, is the most important thing: your security recommendations. Congratulations if you have none, you are already doing what you can to best protect your account. For everyone else, including me, it has to be said, there will likely be one or more flagged. Clicking on the option will take you to the Security Checkup tool itself.
This easy-to-use tool, which has already populated itself by the time it appears on your screen, provides security recommendations ranging from Gmail configurations to two-factor authentication advice, devices accessing your account, third-party access and recent security activity, such as a new sign-in or changes to your security settings. Even better, for the user in a hurry who doesn’t want to fiddle around too much with stuff they don’t completely understand, Google will hand-hold you through the steps required to improve your account security.
Two More Ways To Ramp Up Your Gmail Account Security In The Face Of Ongoing Attacks
While Google is always working hard in the background to protect your accounts against attack, employing everything from AI to dedicated teams of security experts, the ultimate responsibility sits with you, the accounts that holder. Yes, I know that’s not what you want to hear, and not what far too many online talking heads will tell you. But it is the truth. My late father used to say that a bad workman always blamed his tools. As far as account security goes, that doesn’t actually apply when so many people are not using the tools in the first place. Which is where these additional two security measures come in, and I would advise that all users at least consider employing them. There will always be checks and balances in terms of usability, especially when it comes to the second recommendation, which is why only you can make the deployment decision. If you think that the risk of attack and the likely consequences that would follow outweigh any inconveniences, then you know what to do.
Firstly, and there are few downside to this, to be honest, replace your password with a passkey. “We want to move beyond passwords altogether,” Google’s vice-president of privacy, safety and security, Evan Kotsovinos, has gone on the record to say, “while keeping sign-ins as easy as possible.” And that is the case with passkeys. Not only is this technology highly phishing-resistant, allowing you to log in using your face or fingerprint, but it is also actually easier to use than a password. Passkeys are composed of two keys, a public one on the company server and a private one on your device. The keys are randomly generated and never shared during the sign-in process, making them as close to hack-proof as possible.
The main worry, or at least it would appear so based on the emails I get whenever I recommend them, is that putting all your security eggs in one smartphone basket is dangerous if the device is lost, stolen or hacked. The truth is, even in such scenarios, passkeys are safer than passwords. A passkey is created on your device, and gets synced across all your devices in the security ecosystem, be that something like 1Password’s implementation or Apple’s iCloud Keychain. Importantly, the passkey is not tied to the lost device, and can be recovered to another by signing into the passkey provider. If a device is stolen or hacked, then it can be de-authorized. If you don’t have access to another device, websites that support passkeys also hold responsibility to provide account recovery or backup options for users to prevent this situation from happening with SMS, email magic links or backup codes to re-authenticate.
My second Gmail account strengthening recommendation would be to activate Google’s Advanced Protection Program. This, in effect, bundles a whole bunch of attack threat protections into one automatic and straightforward plan. Yes, I am signed up for it myself, as I do eat my own cat food. What it does is block potentially harmful downloads, restrict most non-Google apps from accessing data from your Gmail account, and add steps to the account recovery process to stop the most advanced hackers from taking control this way. So, yes, it comes with usability compromises, but if you are at high risk of attack, or your data is of more importance than such inconveniences, it’s well worth considering.
If You Do Nothing Else, Run The Gmail Account Checkup Today
As you can see in the screenshot above, this test account of mine was lacking in a couple of areas. Even cybersecurity folk are not always perfect. A couple of clicks, and the account was properly secured. If you are a Gmail user, I recommend not delaying and running the security checkup tool today. You know it makes sense. Security sense.
