New Phishing Method Targets Banking Customers on Android and iPhone
A sophisticated phishing technique has recently emerged, predominantly targeting banking customers who use iPhone and Android devices. Cybersecurity firm ESET's research reveals that this new method involves convincing users to unknowingly download Progressive Web Applications (PWA) disguised as legitimate apps.
How the Attack Works
PWAs are essentially websites that function like stand-alone applications. They can trick users by mimicking an authentic app’s appearance through native system prompts. This technique exploits the PWA's ability to avoid requesting user permission for third-party installations. On iOS, phishing websites act as famed app landing pages, directing victims to add the PWA to their home screen. These PWAs operate like regular apps but bypass the need for Android’s third-party app authorization, silently installing a Web Android Package Kit (WebAPK) that seems to originate from the Google Play Store.
Methods of Delivery
The phishing campaigns employed three main delivery mechanisms: voice calls, SMS, and malvertising. Victims across the Czech Republic, Hungary, and Georgia were targeted. During the voice call campaigns, recipients were falsely alerted about an outdated banking app, prompting them to select a numbered option, which would then send a phishing URL via text message.
SMS delivery indiscriminately sent phishing links to numerous Czech numbers. Meanwhile, malvertising utilized Meta platforms like Facebook and Instagram, where registered ads included calls to action for users to download fake updates. Once the victims clicked these links, they were directed to download either a WebAPK or a PWA, bypassing typical browser warnings about unknown app installations.
The Risk and Recommendation
This phishing approach, first identified by CSIRT KNF—a computer security incident response team for Poland’s financial sector—in July 2023, highlights an escalating threat. ESET warns that the usage of falsified popular Android app versions is on the rise, expecting further copycat attempts. Hence, safeguarding personal data relies on downloading apps solely from reputable sources and being cautious with unfamiliar links.
The discovery points to the growing sophistication in phishing methods, with the ability of PWAs to imitate genuine app experiences creating significant risks for unsuspecting users
Earlier, SSP wrote that Gemini subscribers can now use 'Polish' writing tool for emails.