Anti-malware vendor ESET is warning of a new phishing tactic targeting iOS and Android users with web applications mimicking legitimate banking software to bypass security protections and steal login credentials.
On both iOS and Android platforms, ESET warns that cybercriminals used Progressive Web Applications (PWA), which are websites bundled to look like stand-alone applications, while on Android they also used WebAPKs, which appear to be installed from Google Play.
Built using web application technologies, PWAs can run on various platforms and device types, and do not require the user to allow third-party app installation.
As part of the observed attacks, iOS users were instructed to add the PWA to home screens, while Android users had to confirm certain custom pop-ups in the browser before the application was installed.
WebAPKs, which can be considered upgraded PWAs, appear like regular native apps and their installation does not trigger any warnings on Android devices, even if the user has not allowed installation from third-party sources. Further, the apps’ information tabs would claim the apps were downloaded from Google Play.
The threat actors behind the phishing campaigns combined automated voice calls, social media malvertising, and SMS messages to distribute links to the third-party websites hosting the fraudulent applications.
Opening the phishing link a page imitating the official Google Play/Apple Store page or the official website of the targeted banking application. The user was then prompted to install a new version of the banking application, leading to the installation of the malicious program without any security warning being displayed on the device.
Once the phishing PWA or WebAPK has been installed, its icon would be added to the user’s home screen and opening it would lead directly to a phishing login page.
“After installation, victims are prompted to submit their internet banking credentials to access their account via the new mobile banking app. All submitted information is sent to the attackers’ C&C servers,” ESET said in a note documenting the discovery.
According to ESET, the phishing attacks likely started around November 2023, with the command-and-control (C&C) servers collecting the information becoming operational in March 2024. In some cases, a Telegram bot was used to collect the users’ information.
The attacks were mainly focused on mobile banking users in the Czech Republic, but attacks targeting users in Hungary and Georgia were also observed.
Based on the discovered C&C infrastructure, ESET believes that two different threat actors have been using the new tactic in their phishing attacks. Furthermore, the cybersecurity firm warns that the attackers might expand their arsenal with more copycat applications, as they are difficult to distinguish from the legitimate ones.
Related: New BlankBot Android Trojan Can Steal User Data
Related: iOS Trojan Collects Face and Other Data for Bank Account Hacking
Related: Phishing Campaign Exploited Proofpoint Email Protections for Spoofing
Related: Android Apps Expose Data Due to Misconfigured Third-Party Services
