Mobile devices with internet connectivity are in the hands of millions of people around the world. So, they are a tempting target for attacks from malicious third parties. Both OS developers and device manufacturers are working together to make the mobile ecosystem ever more secure, but potential attackers are working at the same pace. Now, a newly discovered phishing method could cause huge financial losses to Android and iOS users alike.
Attackers try alternative methods in the face of increased security measures
Successful phishing based on downloading malicious apps has become increasingly difficult. On iOS, Apple enforces strict control over the App Store, although some particular cases can slip through the cracks. On Android, which allows easy installation of apps from outside the Play Store, browsers integrate multiple warnings and protections before the file is even downloaded. Plus, the Play Store features constant monitoring against malicious apps.
However, it seems that attackers have realized this and are trying a new approach. As discovered by ESET Research, a new phishing method is exploiting Progressive Web Apps (PWA). If you’re not aware, a PWA is a web app with access to native app features. For example, it can use native system prompts or notifications. This, coupled with the fact that its installation is much more permissive, makes it an attractive attack method.
New phishing method exploits Progressive Web Apps on Android and iOS
If you’ve ever added a web app from a website to your phone’s homescreen, you’ll know that there are no prior security checks. Something similar (albeit a bit more complex) happens while installing a PWA. Because they’re basically web apps, they don’t go through the security checks designed for traditional apps. On Android, you don’t even have to enable permission to allow installation of apps from your browser. Plus, as it runs on a browser framework (like WebView on Android or WebKit on iOS), it’s effective on any mobile OS.
A PWA can be indistinguishable from a native app or from an App Store/Play Store page. Now, according to ESET Research’s findings, a PWA-based phishing campaign has been targeting banks and customers in Czechia. Some cases have also been detected in Hungary and Georgia.
ESET researcher Jakub Osmani provided more specific details about the phishing campaign. The report indicates that attackers are looking to get users to install a PWA that simulates their bank’s app. If they succeed and users enter their credentials, attackers could gain access to their accounts. While banks often offer more security barriers in place, the most difficult thing for attackers is usually to obtain their victims’ login credentials. However, this method would make the task much easier.
Phishing campaign powered by three main mechanisms
The research revealed that the phishing campaign involves three main mechanisms. There are automated voice calls, SMS messages, and social media malvertising. The voice calls attempt to trick users into an “outdated banking app.” After pressing the required button on the dialer, the user will receive a phishing URL via SMS. The URL will direct them to a site that will try to convince them to install the PWA on their device’s home screen. The PWA will be disguised as the native app of the client’s bank.
On the other hand, social media malvertising bypasses the two previous mechanisms by including direct links to malicious sites that seek to trick the user. The fraudulent ads were detected on Meta social platforms, such as Facebook and Instagram. So, they probably had a notable reach.
The ESET Research team sent the results of their investigation to the targeted banks. Now it is up to them to warn their clients and act accordingly. The team also collaborated in the removal of “multiple phishing domains and C&C servers.” If you want to avoid the risk of financial losses due to new phishing methods, always remember to check that you are using your bank’s native app, and avoid opening links that invite you to download apps or updates, both on Android and iOS.
2024-08-20 15:07:29