Description
Threat actors have started leveraging progressive web applications (PWAs) to impersonate banking apps and steal credentials from both Android and iOS users. These attacks allow hackers to bypass traditional app store security measures and install malicious software directly from the browser.
Details
Cybersecurity experts have observed that PWAs, which offer a native-like experience with features such as push notifications and background data syncing, are being used in phishing campaigns to impersonate banking apps. These apps evade detection and gain access to sensitive device permissions without alerting the user.
The first recorded instance of this attack method was in July 2023 in Poland, with a subsequent campaign targeting Czech users later that year. ESET, a cybersecurity firm, is currently tracking two separate campaigns using this technique: one targeting OTP Bank in Hungary and another targeting TBC Bank in Georgia. The campaigns employ a variety of methods to reach their victims, including automated calls, smishing (SMS phishing), and malvertising on social media platforms like Facebook.
Once the victim clicks on the malicious link or ad, they are redirected to a fake Google Play or App Store page, depending on their device. Here, they are prompted to install a malicious PWA posing as a legitimate banking app. In some cases, on Android devices, the app is installed as a WebAPK, a native APK generated by the Chrome browser, which makes it nearly indistinguishable from a legitimate application.
These malicious PWAs not only mimic the appearance of official banking apps but also declare the Google Play Store as their software source. This level of sophistication allows attackers to gain trust and successfully harvest credentials from unsuspecting users.
Indicators of Compromise (IoCs)
Organizations should monitor for the following indicators of compromise:
Remediation
To mitigate the risks associated with these malicious PWAs, organizations and users can:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Hackers Steal Banking Credentials from iOS, Android Users via PWA Apps
References