The new phishing method uses PWAs and WebAPKs to target mobile users, with a particular focus on customers of Czech, Hungarian and Georgian banks. These apps, which appear to come from the Google Play Store, do not show installation warnings from external sources
Researchers of ESET, a global European leader in the cybersecurity market, discovered an unusual type of phishing campaign targeting mobile users by analyzing a case observed in the field that had affected customers of a well-known Czech bank. This technique is notable because it installs a phishing application from a third-party website without the user having to allow it to be installed. On Android, this can result in the silent installation of a special type of APK, which even appears to have been installed from the Google Play Store. The threat also affected iPhone (iOS) users.
Phishing sites targeting iOS instruct victims to add a Progressive Web Application (PWA) to the home screen, while on Android the PWA is installed after confirming custom pop-ups in the browser. At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps they imitate. PWAs are essentially websites integrated into what appears to be a standalone application, with a more secure feel enhanced by the use of native system prompts. PWAs, just like websites, are cross-platform, which explains how these PWA phishing campaigns can target both iOS and Android users. The new technique was observed in the Czech Republic by ESET analysts who monitor threats within the vendor's intelligence services.
“For iPhone users, such an action could shatter any assumptions about the security of the walled garden,” says Jakub Osmani, an ESET researcher who analyzed the threat.
ESET analysts discovered a series of phishing campaigns, targeting mobile users, that used three different URL delivery mechanisms. These mechanisms include automated voice calls, SMS messages, and social media malvertising. Voice call delivery consists of an automated call that alerts the user of an outdated banking app by asking them to select an option on the numeric keypad. After pressing the correct button, a phishing URL is sent via SMS, as already reported in a tweet. Initial SMS delivery was done by sending messages indiscriminately to Czech phone numbers. The message sent included a phishing link and text to trick victims into visiting it. The campaign was spread via ads recorded on Meta platforms, such as Instagram and Facebook, which included a call to action, such as a limited offer for users who “download the update below”.
After opening the URL provided in the first step, Android victims are presented with two distinct campaigns, a high-quality phishing page that mimics the official Google Play Store page for the targeted banking application, or a copycat website for that application. From here, victims are asked to install a “new version” of the banking app.
The phishing campaign and this method are only possible thanks to the technology of progressive web apps. In short, PWAs are applications developed using traditional web application technologies that can run on multiple platforms and devices. WebAPKs can be considered an improved version of PWAs, as the Chrome browser generates a native Android app from a PWA: in other words, an APK. These WebAPKs look like normal native apps. Furthermore, installing a WebAPK does not produce any “installation from an untrusted source” warning. The app is installed even if installation from third-party sources is not allowed.
One group used a Telegram bot to log all information entered into a Telegram group chat via the messaging app's official API, while another used a traditional Command & Control (C&C) server with an administrative panel. “Based on the fact that the campaigns used two distinct C&C infrastructures, we determined that two separate groups were operating the PWA/WebAPK phishing campaigns against different banks,” concludes Osmani. Most of the known cases occurred in the Czech Republic, with only two phishing applications appearing outside the country (most notably in Hungary and Georgia).
All sensitive information revealed by ESET's research on this topic was promptly sent to the relevant banks for processing. ESET has also contributed to the removal of numerous phishing domains and C&C servers.
For more technical information on this new phishing threat, see the blog “Be careful what you pwish for – Phishing in PWA applications” on WeLiveSecurity.com. Follow ESET Research on Twitter (now known as X) For the latest news from ESET Research.
