August 20, 2024Ravie LakshmananMobile security / Bank fraud

Mobile users in the Czech Republic have been targeted by a new phishing campaign that uses a Progressive Web Application (PWA) to steal their bank account credentials.

According to Slovak cybersecurity company ESET, the attacks targeted the Czech Republic-based Československá obchodní banka (CSOB), as well as the Hungarian OTP Bank and the Georgian TBC Bank.

“The phishing websites targeting iOS ask victims to add a Progressive Web Application (PWA) to their home screen, while on Android the PWA is installed after confirming custom popups in the browser,” said security researcher Jakub Osmani.

“At this point, these phishing apps on both operating systems are virtually indistinguishable from the real banking apps they mimic.”

What’s notable about this tactic is that it tricks users into installing a PWA or in some cases even WebAPKs on Android from a third-party site, without specifically allowing sideloading.

Analysis of the command-and-control (C2) servers and backend infrastructure used reveals two different threat actors behind the campaigns.

These websites are distributed via automated voice calls, text messages, and social media malvertising via Facebook and Instagram. The voice calls alert users to an outdated banking app and ask them to select a numeric option, after which the phishing URL is sent.

Users who click on the link are presented with a page that looks like the Google Play Store listing for the intended banking app, or a fake site for the application. This ultimately leads to the ‘installation’ of the PWA or WebAPK app under the guise of an app update.

“This crucial installation step bypasses traditional browser warnings about ‘installing unknown apps’, which is the default behavior of Chrome’s WebAPK technology, which is abused by attackers,” Osmani explained. “Furthermore, installing a WebAPK does not produce any of the ‘installation from untrusted source’ warnings.”

For those using Apple iOS devices, instructions are provided to add the fake PWA app to their home screen. The ultimate goal of the campaign is to capture banking credentials entered into the app and exfiltrate them to an attacker-controlled C2 server or a Telegram group chat.

ESET reported that the first instance of PWA phishing was recorded in early November 2023, with further attacks occurring in March and May 2024.

The revelation comes after cybersecurity researchers discovered a new variant of the Gigabud Android trojan that is being distributed via phishing websites that mimic the Google Play Store or sites posing as various banks or government agencies.

“The malware has various capabilities such as collecting data about the infected device, stealing banking credentials, collecting screen captures, and so on,” said Symantec, owned by Broadcom.

It also follows Silent Push’s discovery of 24 different control panels for various Android banking trojans including ERMAC, BlackRock, Hook, Loot and Pegasus (not to be confused with NSO Group’s spyware of the same name). These are operated by a malicious actor called DukeEugene.