New research shows that bank customers are being targeted by a new method of phishing attacks.
A report from ESET found that the attacks primarily targeted iPhone and Android users, tricking them into unknowingly downloading Progressive Web Applications (PWA) disguised as legitimate apps.
PWAs are websites designed to behave as a standalone application, seemingly verifying the image through the use of native system prompts. PWAs bypass the need for a user to authorize third-party installation, with iOS phishing sites posing as popular app landing pages and instructing victims to add the PWA to their home screen. Ultimately, the PWAs behaved like a regular mobile app, but by bypassing third-party installation authorization on Android, it led to the silent installation of the Android Package Kit (APK), which appeared to the user to have been installed via the Google Play Store.
Delivery Methods
The campaign used three different URL delivery mechanisms: voice calls, SMS delivery and malvertising. The campaign targeted customers in the Czech Republic, Hungary and Georgia.
Depending on the campaign, the Install/Update button initiated the download of a malicious application directly to the user’s phone, either in the form of a WebAPK (for Android devices) or a PWA. This bypassed the usual browser warnings about “installing unknown apps”.
The voice call would alert the victim to a supposedly outdated banking app and instruct the user to select a numbered option. Once they did, a phishing URL would be texted to them.
The SMS delivery sent messages containing the phishing link indiscriminately to Czech numbers, while the advertising campaign consisted of registered ads on Meta-platforms (such as Facebook and Instagram). The ads contained a call to action to coerce victims, such as a limited-time offer for those who ‘download an update below’.
Recent reports show similar threat actors using counterfeit versions of popular Android apps, using increasingly sophisticated methods. ESET expects to see copies of these applications appear in the future, so we recommend remaining vigilant. The best way to keep your data safe is to only download apps from legitimate sources and be wary of links sent by someone you don’t know.
