In a new twist on phishing tactics, ESET analysts have uncovered a series of sophisticated campaigns targeting mobile users by leveraging Progressive Web Applications (PWAs).
This use of PWAs, which are essentially websites functioning as standalone apps, sets this phishing campaign apart. Unlike traditional phishing techniques, these attacks instruct iOS users to add the PWA to their home screens, while Android users are prompted to install a WebAPK. The key concern is that these phishing applications do not require users to approve third-party installations, bypassing typical security warnings.
On Android, the phishing WebAPK even apes a legitimate Google Play installation – a cunning way of increasing the deception. ESET analysts note that these apps are almost indistinguishable from genuine banking applications, making it highly difficult for users to identify the threat.
The technique was initially disclosed by CSIRT KNF in Poland in July 2023, and observed in November 2023 in the Czech Republic by ESET researchers. It targeted clients of a prominent Czech bank and raised alarms due to its cross-platform reach and stealthy installation methods.
ESET’s research highlights the dangers posed by these emerging threats, which are now affecting mobile banking security on both iOS and Android devices.
Geographic Reach and Victim Impact
The campaigns have extended their tentacles to target other regions, including Hungary and Georgia. Specifically, attacks were observed against OTP Bank in Hungary and a Georgian Bank. The cross-platform nature of PWAs enables the global reach of these campaigns, as the malicious app are able to operate on iOS and Android devices.
ESET’s research also reveals that two distinct threat actors are behind these campaigns. However, the analysts discovered different Command and Control (C&C) infrastructures, suggesting that multiple groups are exploiting this novel phishing method.
Delivery Mechanisms and Attack Flow
The campaigns use various methods to deliver phishing URLs, including automated voice calls, SMS messages, and malicious ads on social media platforms like Facebook and Instagram. These tactics lure users with tempting offers or warnings about outdated banking apps, leading them to download the phishing application.
Once installed, the apps prompt users to enter their banking credentials, which are then transmitted to the attacker’ C&C servers. In some cases, stolen information is logged via Telegram bots, while other campaigns rely on traditional C&C servers with administrative panels.
Mitigation Efforts
ESET has taken proactive steps to mitigate the impact of these phishing campaigns. By identifying and reporting compromised accounts, the company has worked with affected banks to protect customers. Additionally, ESET has been involved in the takedown of multiple phishing domains and C&C servers.
This phishing method is a significant threat to mobile banking security. Its stealthy installation of PWAs and WebAPKs slips through traditional security nets, making it hard for users to recognize the danger. ESET analysts warn that more copycat applications could emerge in the coming months, posing a continued risk to mobile users worldwide.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.