This post is also available in:
עברית (Hebrew)
A new and sophisticated phishing campaign is targeting Android and iOS users, leveraging a technique that cleverly circumvents traditional security defenses. This attack primarily affects users in Eastern Europe and utilizes Progressive Web Applications (PWAs) to create a deceptive appearance of a legitimate banking app. While iOS typically restricts third-party app installations, and Android users need to approve such apps explicitly, cybercriminals have exploited PWAs to bypass these barriers.
PWAs are essentially web pages packaged to look like native apps in the device’s app launcher. These malicious PWAs masquerade as genuine banking applications, leading users to phishing sites that closely resemble real banking apps. In a statement, ESET has highlighted this trend, noting that the current campaign, which began affecting Czech citizens, involves fake updates for banking apps. As reported by CyberNews, Victims are flooded with automated phone calls, SMS messages, and malicious ads on social media platforms. Similar phishing campaigns have been observed in Poland, Hungary, and Georgia.
The attack unfolds in several stages. Initially, scammers use malicious links distributed via SMS, social media ads, or automated calls urging users to update their banking apps. Clicking these links directs users to phishing sites that imitate the Google Play Store or popular banking websites. These sites are designed to look authentic, and only the URL exposes their malicious nature.
Victims are prompted to install a “new version” of their banking app, which is actually a malicious PWA or WebAPK. For Android users, the malicious app can be a WebAPK or PWA, while for iOS users, it can only be a PWA. Both types of fake apps add icons to the home screen and function as web page launchers. Crucially, the installation of a PWA/WebAPK does not trigger any warning about third-party apps.
Once installed, the fake app presents a phishing login page. Even if Android users check the app’s information, it falsely indicates that the app was downloaded from the Google Play Store. ESET researchers discovered that two separate threat actors are behind this campaign, each using different command and control (C&C) infrastructures. One group employs a Telegram bot to collect entered information, while the other uses a traditional C&C server with an administrative panel.
The researchers have alerted relevant banks and coordinated the takedown of several phishing domains and C&C servers. As this phishing technique gains traction, more malicious PWAs are expected to emerge. Additionally, since PWAs can request access to various browser functions like the microphone and camera, there is concern about potential spyware applications. ESET warns that the capabilities of PWAs may pose significant risks if exploited for malicious purposes.
