Jump to content
  • Hackers steal banking creds from iOS, Android users via PWA apps

    Karlston

    • 1 comment
    • 726 views
    • 4 minutes
     Share


    • 1 comment
    • 726 views
    • 4 minutes

    Threat actors started to use progressive web applications to impersonate banking apps and steal credentials from Android and iOS users.

     

    Progressive web apps (PWA) are cross-platform applications that can be installed directly from the browser and offer a native-like experience through features like push notifications, access to device hardware, and background data syncing.

     

    Using this type of apps in phishing campaigns allows evading detection, bypass app installation restrictions, and gain access to risky permissions on the device without having to serve the user a standard prompt that could raise suspicion.

     

    The technique was first observed in the wild in July 2023 in Poland, while a subsequent campaign that launched in November of the same year targeted Czech users.

     

    Cybersecurity company ESET reports that it is currently tracking two distinct campaigns relying on this technique, one targeting the Hungarian financial institution OTP Bank and the other targeting TBC Bank in Georgia.

     

    However, the two campaigns appear to be operated by different threat actors. One uses a distinct command and control (C2) infrastructure to receive stolen credentials, while the other group logs stolen data via Telegram.

    Infection chain

    ESET says that the campaigns rely on a broad range of methods to reach their target audience, including automated calls, SMS messages (smishing), and well-crafted malvertising on Facebook ad campaigns.

     

    In the first two cases, the cybercriminals trick the user with a fake message about their banking app being outdated and the need to install the latest version for security reasons, providing a URL to download the phishing PWA.

     

    PWA campaigns infection flow
    PWA campaigns infection flow
    Source: ESET

    In the case of malicious advertisements on social media, the threat actors use the impersonated bank’s official mascot to induce a sense of legitimacy and promote limited-time offers like monetary rewards for installing a supposedly critical app update.

     

    One of the malicious ads used in the phishing campaign
    One of the malicious ads used in the phishing campaign
    Source: ESET

    Depending on the device (verified via the User-Agent HTTP header), clicking on the ad takes the victim to a bogus Google Play or App Store page.

     

    Fake Google Play portal
    Fake Google Play installation prompt (left) and progress (right)
    Source: ESET

    Clicking on the ‘Install’ button prompts the user to install a malicious PWA posing as a banking app. In some cases on Android, the malicious app is installed in the form of a WebAPK - a native APK generated by Chrome browser.

     

    The phishing app uses the official banking app’s identifiers (e.g. logo legitimate-looking login screen) and even declares Google Play Store as the software source of the app.

     

    The malicious WebAPK on the victim's homescreen and the phishing login page
    The malicious WebAPK (left) and the phishing login page (right)
    Source: ESET

    The appeal of using PWAs on mobile

    PWAs are designed to work across multiple platforms, so attackers can target a broader audience through a single phishing campaign and payload.

     

    The key benefit, though, lies in bypassing Google’s and Apple’s installation restrictions for apps outside the official app stores, as well as “install from unknown sources” warning prompts that could alert victims to potential risks.

     

    PWAs can closely mimic the look and feel of native apps, especially in the case of WebAPKs, where the browser logo on the icon and the browser interface within the app are hidden, so distinguishing it from legitimate applications is nearly impossible.

     

    PWA (left) and legitimate app (right). WebAPKs are indistinguishable
    PWA (left) and legitimate app (right). WebAPKs are indistinguishable as they lose the Chrome logo from the icon.
    Source: ESET

    These web apps can get access to various device systems through browser APIs, such as geolocation, camera, and microphone, without requesting them from the mobile OS’s permissions screen.

     

    Ultimately, PWAs can be updated or modified by the attacker without user interaction, allowing the phishing campaign to be dynamically adjusted for greater success.

     

    Abuse of PWAs for phishing is a dangerous emerging trend that could gain new proportions as more cybercriminals realize the potential and benefits.

     

    A few months back, we reported about new phishing kits targeting Windows accounts using PWAs. The kits were created by security researcher mr.d0x specifically to demonstrate how these apps could be used to steal credentials by creating convincing corporate login forms.

     

    BleepingComputer has contacted both Google and Apple to ask if they plan to implement any defenses against PWAs/WebAPKs, and we will update this post with their responses once we hear back.

     

    Source

     

    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every single day for many years.

    2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts


    User Feedback

    Recommended Comments



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...