Mobile users in the Czech Republic are the target of a novel phishing campaign that leverages a Progressive Web Application (PWA) in an attempt to steal their banking account credentials.
The attacks have targeted the Czech-based Československá obchodní banka (CSOB), as well as the Hungarian OTP Bank and the Georgian TBC Bank, according to Slovak cybersecurity company ESET.
“The phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home-screens, while on Android the PWA is installed after confirming custom pop-ups in the browser,” security researcher Jakub Osmani said.
“At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic.”
What’s notable about this tactic is that users are deceived into installing a PWA, or even WebAPKs in some cases on Android, from a third-party site without having to specifically allow side loading.
An analysis of the command-and-control (C2) servers used and the backend infrastructure reveals that two different threat actors are behind the campaigns.
These websites are distributed via automated voice calls, SMS messages, and social media malvertising via Facebook and Instagram. The voice calls warn users about an out-of-date banking app and ask them to select a numerical option, following which the phishing URL is sent.
Users who end up clicking on the link are displayed a lookalike page that mimics the Google Play Store listing for the targeted banking app, or a copycat site for the application, ultimately leading to the “installation” of the PWA or WebAPK app under the guise of an app update.
“This crucial installation step bypasses traditional browser warnings of ‘installing unknown apps’: this is the default behavior of Chrome’s WebAPK technology, which is abused by the attackers,” Osmani explained. “Furthermore, installing a WebAPK does not produce any of the ‘installation from an untrusted source’ warnings.”
For those who are on Apple iOS devices, instructions are provided to add the bogus PWA app to the Home Screen. The end goal of the campaign is to capture the banking credentials entered on the app and exfiltrate them to an attacker-controlled C2 server or a Telegram group chat.
ESET said it recorded the first phishing-via-PWA instance in early November 2023, with subsequent waves detected in March and May 2024.
The disclosure comes as cybersecurity researchers have uncovered a new variant of the Gigabud Android trojan that’s spread via phishing websites mimicking the Google Play Store or sites impersonating various banks or governmental entities.
“The malware has various capabilities such as the collection of data about the infected device, exfiltration of banking credentials, collection of screen recordings, etc.,” Broadcom-owned Symantec said.
It also follows Silent Push’s discovery of 24 different control panels for a variety of Android banking trojans such as ERMAC, BlackRock, Hook, Loot, and Pegasus (not to be confused with NSO Group’s spyware of the same name) that are operated by a threat actor named DukeEugene.
