A security researcher has discovered a phishing attack aimed at tricking iPhone users into installing a purported update for their banking app.
This attack works despite iOS protections, because what's actually “installed” is a Progressive Web App, which doesn't come with any App Store vetting or warnings…
Progressive Web Apps (PWAs)
Progressive Web Apps are essentially websites that look and act like apps. In fact, when the iPhone was first launched in 2007, PWAs were only How third-party developers launch their apps.
Apple co-founder Steve Jobs said about them at the time:
The iPhone has the complete Safari engine, so you can write amazing Web 2.0 and Ajax apps that look and behave exactly like they do on the iPhone, and they can be fully integrated with iPhone services – make phone calls, send email, find places on Google Maps, and more.
And lo and behold, there is no SDK required – as long as you know how to build apps using modern web standards and create great apps for today's iPhones, you have everything you need. Developers, we've got some great news for you – you can start building iPhone apps today!
Apple quickly realized that native iPhone apps offered a better experience, and the App Store was born a year later, but PWAs are still available today.
Phishing Attacks Using Fake Banking App Updates
Cybersecurity firm ESET has found that PWAs are being used to target both Android and iPhone users, with attacks coming via a variety of methods including text, ads on social media and voice calls.
The voice call is delivered by an automated voice call, warning the user about their outdated banking app and asking them to select an option on a numeric keyboard – pressing the correct button will send them a phishing URL via SMS. […]
On iOS, phishing websites instruct victims to add a Progressive Web Application (PWA) to their home screen, while on Android, the PWA is installed after confirming a custom popup in the browser. At this point, on both operating systems, these phishing apps are nearly indistinguishable from the real banking apps they imitate.
When the user logs into the fake app, the login details are captured and sent to the attacker.
iPhone owners may be particularly at risk, as many believe their devices are safe from malware.
For iOS users, an animated popup explains how to add the phishing PWA to their home screen. The popup copies the look of the native iOS prompt. After all, even iOS users are not warned about adding a potentially harmful app to their phone.
While the instances seen so far target users in the Czech Republic and Hungary, the same techniques could easily be used worldwide.
How to protect yourself
Always be suspicious of any communication claiming to be from your bank, whether it's a text, email or voice call. Your safest bet is to hang up and call a known, authentic number from your bank (such as the number printed on your bank statement or payment card) to verify any information provided before taking any action.
Genuine updates for your banking app can be obtained by visiting the App Store.
Via Macworld. Image: Composite image from 9to5Mac using photo by Anton on Unsplash.
FTC: We use automated affiliate links that generate revenue. more.