Growing Threat: Progressive Web Applications Used for Banking Phishing Scams

Growing Threat: Progressive Web Applications Used for Banking Phishing Scams

The Emergence of PWA Phishing

Cybercriminals are increasingly leveraging Progressive Web Applications (PWAs) to execute sophisticated phishing attacks aimed at stealing banking credentials from both Android and iOS users. This trend, which first came to light in July 2023, has shown a disturbing evolution in how cyber threats can bypass traditional security measures.

What Are Progressive Web Apps?

PWAs are web applications designed to offer a native app-like experience directly from the browser. They provide features such as push notifications, background data syncing, and access to device hardware, making them indistinguishable from native apps in many cases. This versatility allows PWAs to be installed across different platforms without requiring the user to download them from official app stores.

The New Phishing Technique

Recent reports from cybersecurity firm ESET have highlighted two significant phishing campaigns utilizing PWAs. These campaigns target users of major financial institutions, including OTP Bank in Hungary and TBC Bank in Georgia. The threat actors behind these campaigns have managed to evade detection and bypass app installation restrictions by exploiting the capabilities of PWAs and WebAPKs.

Infection Chain

1. Distribution Methods: Attackers employ various techniques to distribute malicious links, including automated calls, SMS (smishing), and deceptive advertisements on social media platforms. These links often direct users to fake updates or critical security patches for their banking apps.

2. Installation Process: Users are led to a fraudulent Google Play or App Store page, where they are prompted to install a malicious PWA or WebAPK. On Android devices, the malicious application might be presented as a WebAPK—a native-like app generated by the Chrome browser—which further obfuscates its true nature.

3. User Interaction: Once installed, the malicious app mimics the appearance of the legitimate banking app, including its logo and login screen. Users are then prompted to enter their banking credentials, which are captured and sent to the attackers’ command-and-control (C&C) servers.

4. Data Collection: The stolen data is collected through various C&C infrastructures, with some campaigns using Telegram bots for data logging. The attackers behind these campaigns appear to operate with distinct infrastructures, indicating multiple groups are exploiting this technique.

The Appeal of PWAs for Phishing

PWAs present several advantages for attackers:

• Bypassing App Store Restrictions: Unlike traditional apps, PWAs can be installed without triggering warnings from Google or Apple about installing apps from unknown sources.

• Native App Mimicry: PWAs and WebAPKs can closely resemble genuine apps, making them difficult for users to distinguish from legitimate ones.

• Dynamic Updates: PWAs can be updated or modified by attackers without requiring user interaction, allowing for adaptable phishing strategies.

Security Implications and Future Outlook

The abuse of PWAs and WebAPKs for phishing is a concerning development that highlights the need for improved security measures. As this technique becomes more widespread, it is essential for users to be vigilant about unsolicited communications and verify the authenticity of any requests for app updates or security patches.

Cybersecurity experts are calling for increased awareness and potentially new defensive measures from tech giants like Google and Apple to address these evolving threats.

For users, the best defense remains a cautious approach to unfamiliar links and prompts, along with regular security updates and awareness about emerging threats.

Stay tuned for further updates on this developing issue and proactive steps you can take to protect yourself from such sophisticated phishing attacks.