Cybercriminals have adopted a sophisticated new tactic that uses Progressive Web Applications (PWAs) to impersonate legitimate banking apps, enabling them to steal credentials from iOS and Android users. These PWAs, which are cross-platform web applications that mimic native apps, allow attackers to bypass security restrictions, evade detection, and gain access to sensitive device permissions without triggering standard warnings. This emerging threat is particularly concerning as it leverages the flexibility and reach of PWAs to conduct phishing attacks across multiple platforms.
Recent reports from cybersecurity experts, including ESET, indicate that phishing campaigns utilizing PWAs and WebAPKs (for Android) began targeting mobile banking users in July 2023. The campaigns have since expanded to focus on users in countries like the Czech Republic, Hungary, and Georgia. Threat actors deploy a wide range of tactics, including smishing (SMS phishing), automated calls, and malicious advertisements, to distribute links that lead to fake banking app updates. Once the user installs the PWA, it appears as a legitimate app icon on their home screen, ultimately leading them to a phishing login page that captures their banking credentials.
Here’s a breakdown of the phishing attack process:
- Phishing Setup: Attackers set up fake websites mimicking official app stores or banking sites.
- User Redirection: Victims are directed to these fake sites, usually through phishing emails or ads.
- PWA Installation: On Android, the site silently installs a WebAPK. On iOS, users are prompted to add a PWA to their home screen.
- Credential Theft: The fake app imitates a legitimate banking app to collect sensitive login credentials.
The flexibility of PWAs is a major draw for cybercriminals. These apps can be installed directly from the browser, bypassing app store restrictions and allowing attackers to update or modify the apps dynamically. Additionally, PWAs can mimic native apps so convincingly that users may have little reason to suspect foul play. The phishing apps often disguise themselves as official apps by replicating branding elements, such as logos and interfaces, and even claim to be downloaded from official sources like Google Play or the Apple Store.
The use of PWAs in phishing attacks represents a significant shift in the threat landscape that cybersecurity companies and organizations must address. These attacks demonstrate the potential for large-scale credential theft through seemingly legitimate apps that evade traditional detection methods. As more cybercriminals recognize the benefits of exploiting PWAs, the cybersecurity community anticipates that this trend will continue to grow.
For users and organizations alike, it is critical to adopt robust cybersecurity practices, including regular assessments by cybersecurity consultants and implementing advanced threat detection solutions. As these threats evolve, staying informed is key to mitigating the risks associated with this emerging tactic in the world of mobile banking and beyond.