This sophisticated technique targets both iOS and Android users, exploiting the unique capabilities of PWAs to bypass traditional security measures
The Rise of PWA-Based Phishing Attacks
In a growing trend that has alarmed cybersecurity experts, threat actors have begun leveraging Progressive Web Applications (PWAs) to impersonate legitimate banking apps and steal sensitive user information. This sophisticated technique targets both iOS and Android users, exploiting the unique capabilities of PWAs to bypass traditional security measures and evade detection.
Understanding Progressive Web Applications (PWAs)
Progressive Web Applications (PWAs) are cross-platform web applications designed to offer a native app-like experience. They can be installed directly from a web browser, without the need for downloading through traditional app stores like Google Play or Apple’s App Store. PWAs can interact with device hardware, support push notifications, and enable background data synchronization, making them highly versatile and attractive to both developers and, unfortunately, cybercriminals.
How PWAs Are Exploited in Phishing Campaigns
The flexibility of PWAs allows cybercriminals to use them as a potent tool in phishing campaigns. By bypassing app installation restrictions and avoiding the usual security prompts that alert users to potential risks, these malicious PWAs can be deployed without raising suspicion. Once installed, these apps can gain access to sensitive permissions on the device, such as location data, camera, and microphone controls, often without the user being aware.
The first known instance of this technique was detected in July 2023 in Poland. This initial campaign was soon followed by another in November, targeting users in the Czech Republic. According to cybersecurity firm ESET, two ongoing campaigns are currently utilizing this method, targeting OTP Bank in Hungary and TBC Bank in Georgia. Although these campaigns share similarities, they appear to be operated by different groups, each employing distinct methods to manage and receive stolen credentials.
The Mechanics of PWA-Based Phishing
Infection Chain: How Users Are Targeted
To deliver these malicious PWAs to their victims, threat actors employ a variety of tactics. These include automated phone calls, SMS phishing (smishing), and deceptive advertisements on social media platforms such as Facebook.
In some cases, users receive a fake notification claiming that their banking app is outdated and urging them to install the latest version for security purposes. The message includes a link to download the so-called “update,” which is, in reality, a phishing PWA.
On social media, particularly Facebook, attackers utilize well-crafted malvertising campaigns. These ads often feature the official mascot of the impersonated bank, lending an air of legitimacy to the scam. The ads might also promise limited-time offers, such as monetary rewards for installing the app, further enticing users to fall into the trap.
When users click on the ad or link, they are redirected to a fake Google Play or App Store page. Here, they are prompted to install the malicious PWA. On Android devices, this malicious app is sometimes installed as a WebAPK—a native APK generated by the Chrome browser, making it appear even more legitimate.
Deceptive Appearance of Phishing Apps
The phishing PWAs are designed to closely mimic the appearance and functionality of the official banking apps they are impersonating. They use the same logos, colors, and user interfaces, making it difficult for victims to recognize the deception. Moreover, the app may falsely declare Google Play Store as its source, further convincing the user of its legitimacy.
Why PWAs Are an Attractive Target for Cybercriminals
Cross-Platform Reach
One of the key advantages of PWAs for cybercriminals is their cross-platform nature. A single phishing campaign can target users on multiple operating systems, significantly broadening the reach of the attack.
Bypassing Security Measures
Perhaps the most concerning aspect of PWAs is their ability to bypass the security measures that typically protect mobile devices. Unlike traditional apps, which are subject to rigorous vetting processes by app stores, PWAs can be installed directly from a web browser. This allows attackers to avoid “install from unknown sources” warnings that would typically alert users to potential danger.
Additionally, PWAs can closely replicate the look and feel of native apps. For example, in the case of WebAPKs, the usual browser indicators, such as the browser logo and interface, are hidden. This makes it nearly impossible for users to distinguish between a legitimate app and a malicious PWA.
Exploiting Browser APIs for Malicious Purposes
Once installed, PWAs can access various device systems through browser APIs, such as geolocation, camera, and microphone, without needing explicit permission from the user. This level of access enables attackers to gather a wealth of sensitive information without the victim’s knowledge.
Moreover, PWAs can be updated or modified by the attacker at any time, without requiring user interaction. This capability allows cybercriminals to dynamically adjust their phishing campaigns, increasing their chances of success.
The Growing Threat of PWA Abuse
The abuse of PWAs in phishing campaigns is an emerging and dangerous trend. As more cybercriminals become aware of the potential benefits, the use of this tactic is likely to increase. A few months ago, it was reported that new phishing kits targeting Windows accounts were being developed using PWAs. These kits were created by security researcher mr.d0x to demonstrate how PWAs could be used to steal credentials by creating convincing corporate login forms.
The rise of PWA-based phishing campaigns has prompted concern among cybersecurity experts.
In conclusion, the use of PWAs by cybercriminals to steal banking credentials represents a significant and growing threat to mobile users worldwide. As this trend continues to evolve, it is crucial for users to remain vigilant and for tech companies to develop robust security protocols to mitigate the risks associated with PWAs.
COMMENTS