Phishers are using novel tactics to trick iOS and Android users into installing malicious apps that circumvent the safety guardrails built by Apple and Google to prevent fraudulent apps.
Both mobile operating systems employ mechanisms to keep users away from apps that steal personal information, passwords, and other sensitive data. iOS prohibits the installation of all apps other than those available in the App Store, an approach popularly known as the Walled Garden. Android, on the other hand, is configured by default to only allow apps available in Google Play. Sideloading, or the installation of apps from other markets, must be manually allowed and is something Google warns against.
Native apps
A phishing campaign widespread over the past nine months has found unprecedented ways to circumvent these protections by tricking victims into installing a malicious app that poses as the official app of their bank. Once installed, the malicious app steals account credentials and transmits them to the attacker in real time via Telegram.
“This technique is noteworthy because it installs a phishing app from a third-party website without the user having given permission for third-party app installations,” Yakub Osmani, an analyst at security firm ESET, wrote on Tuesday. “For iOS users, such behavior could violate 'walled garden' security assumptions. On Android, this could lead to the silent installation of a special type of APK that, on closer inspection, may appear to have been installed from the Google Play Store.”
This novel technique involves tricking targets into installing a special kind of app called a Progressive Web App. These apps rely solely on web standards to render functionality that feels and behaves like native apps, but without the limitations that come with native apps. Relying on web standards means that the apps, called PWAs for short, can theoretically work on any platform that runs a standards-compliant browser, and they work the same way on iOS and Android. Once installed, users can add PWAs to their home screen, making them strikingly similar to native apps.
PWAs are applicable to both iOS and Android, but Osmani's post uses PWA for the iOS app and WebAPK for the Android app.
The attack begins with a message sent via text message, automated call, or malicious ad on Facebook or Instagram. When the target clicks on a link in the scam message, it opens a page similar to the App Store or Google Play.
ESET's Osmani continued:
From here, the victim is asked to install a “new version” of the banking application, an example of which is shown in Figure 2. Depending on the campaign, clicking the install/update button will trigger the installation of the malicious application from a website and install it directly onto the victim's phone in WebAPK format (Android users only) or PWA format (if the campaign is not WebAPK-based). This crucial installation step avoids the traditional browser warning “you are installing an unknown app”, which is the default behavior of Chrome's WebAPK technology and is being exploited by attackers.
For iOS users, the process is a bit different, with an animated popup instructing victims how to add the phishing PWA to their home screen (see Figure 3). The popup copies the look of the native iOS prompt. After all, even iOS users are not warned about adding a potentially harmful app to their phone.
Once installed, victims are asked to submit their internet banking credentials to access their accounts via the new mobile banking app, which are then sent to the attacker's C&C server.
This technique is even more effective because the application information associated with the WebAPK shows that it was installed from Google Play and has no system permissions assigned to it.
So far, ESET has seen this technique used primarily against banking clients in the Czech Republic, and to a lesser extent in Hungary and Georgia. The attacks used two different command and control infrastructures, indicating the technique is being used by two different threat groups.
“We expect more copycat apps to be created and distributed as it is difficult to distinguish legitimate apps from phishing apps once installed,” Osmani said.