Threat actors have begun using progressive web applications to impersonate banking apps to steal credentials from Android and iOS users.
Progressive Web Apps (PWAs) are cross-platform applications that can be installed directly from a browser and provide a native-like experience through features such as push notifications, access to device hardware, and background data sync.
Using these types of apps in phishing campaigns can help them avoid detection, bypass app installation restrictions, and gain access to dangerous permissions on the device without displaying standard prompts to the user that might arouse suspicion.
The technique was first identified in Poland in July 2023, with a subsequent campaign launched in November of the same year targeting users in the Czech Republic.
Cybersecurity firm ESET reports that it is currently tracking two different campaigns leveraging this technique, one targeting Hungarian financial institution OTP Bank and the other targeting Georgia's TBC Bank.
However, the two attacks appear to be carried out by different threat actors, with one group using a different command and control (C2) infrastructure to receive stolen credentials, and the other recording the stolen data via Telegram.
Infection Chain
According to ESET, the campaign used a wide range of techniques to reach its target audience, including automated calls, SMS messages (smishing) and carefully crafted malvertising in Facebook ad campaigns.
In the first two cases, cybercriminals trick users with fake messages that say their banking app is outdated and they need to install the latest version for security reasons, and provide a URL to download the phishing PWA.
In the case of malicious advertising on social media, threat actors will spoof official bank mascots to lend an air of legitimacy and promote limited-time offers, such as financial rewards for installing critical app updates.
Depending on the device (check the User-Agent HTTP header), clicking on the ad will take you to a fake Google Play or App Store page.
Once the “Install” button is clicked, the user is prompted to install the malicious PWA disguised as a banking app. On Android, the malicious app may also be installed in the form of a WebAPK (native APK generated by the Chrome browser).
The phishing app uses identifiers of official banking apps (e.g. logos, legitimate-looking login screens) and declares Google Play Store as the app's software source.
The appeal of using PWAs on mobile
Because PWAs are designed to work across multiple platforms, attackers can target a wider range of users through a single phishing campaign and payload.
But its main advantage lies in getting around Google and Apple's restrictions on installing apps outside their official app stores, as well as “install from unknown sources” warning prompts that may alert victims to potential risks.
PWAs can mimic the look and feel of native apps very well, and WebAPKs in particular hide the browser logo on the icon and the browser interface within the app, making them nearly impossible to distinguish from legitimate applications.
These web apps can access various device systems, such as geolocation, camera, and microphone, through browser APIs without having to request them through the mobile OS's permission screen.
Finally, PWAs can be updated or modified by attackers without user interaction, allowing them to dynamically adjust phishing campaigns to increase their success rate.
Using PWAs for phishing is a dangerous new trend that is likely to reach new heights as more cybercriminals realize its potential and benefits.
A few months ago, we reported on a new phishing kit targeting Windows accounts using PWAs. The kit was created by security researcher mr.d0x to specifically demonstrate how these apps can be used to create convincing corporate login forms and steal credentials.
BleepingComputer has reached out to both Google and Apple to ask if they have plans to implement defenses against PWAs/WebAPKs, and will update this post with their response when we hear back.