Banking customers have been targeted in a newly discovered method of phishing attacks, new research has found.
A report from ESET found the attacks primarily focused on iPhone and Android users by getting them to unknowingly download Progressive Web Applications (PWA) disguised as authentic apps.
PWAs are websites made to behave like a stand-alone application, with the image seemingly verified by the use of native system prompts. PWAs bypass the need for a user to allow third-party installation, with iOS phishing sites posing as popular apps landing pages and directing victims to add the PWA to their home screen. Ultimately, the PWAs behaved like a normal mobile app – but by sidestepping the authorization of third-party installation on Android, this led to the silent installation of Android Package Kit (APK), which appeared to the user to be installed via the Google Play Store.
Delivery methods
The campaign used three different URL delivery mechanisms – Voice call, SMS delivery, and Malvertising, with customers across the Czech Republic, Hungary, and Georgia targeted.
Depending on the campaign, the install/update button launched the download of a malicious application directly onto the user’s phone, either in the form of a WebAPK (for Android devices) or a PWA. This bypassed the usual browser warnings of “installing unknown apps”.
The voice call would warn the victim about a supposed out-of-date banking app, and instructed the user to select a numbered option. Once they did so, a phishing URL was texted to them.
The SMS delivery sent messages which included the phishing link indiscriminately to Czech numbers, whilst the advertising campaign consisted of registered adverts on Meta platforms (like Facebook and Instagram). The ads contained a call to action to compel victims, such as a limited time offer for those who ‘download an update below’.
Recent reports show similar threat actors using falsified versions of popular Android apps, with increasingly sophisticated methods. Eset expects to see copycats of these applications, so we recommend staying vigilant. The best way to keep your data safe is by only downloading apps from legitimate sources, and being wary of any links sent by anyone you don’t know.
