Phishing attacks target mobile users via progressive web applications (PWA)

Pierluigi Paganini
August 23, 2024

Cybercriminals are using progressive web applications (PWA) to masquerade as banking apps and steal mobile users’ credentials.

ESET researchers have described a phishing campaign targeting mobile users that exploited Progressive Web Applications (PWAs). The threat actors used fake apps that were nearly indistinguishable from genuine banking apps on both iOS and Android. The technique was first disclosed in Poland in July 2023, and later observed in the Czech Republic and other countries such as Hungary and Georgia.

The campaign leveraged progressive web applications to impersonate banking apps and steal credentials from Android and iOS users.

A progressive web app (PWA) is an app built using web platform technologies but provides a user experience similar to that of a platform-specific app.

The technique allows for the installation of a phishing application from a third-party website without the user having to enable the installation of third-party apps. For iOS users, this undermines the usual security assumptions of the “walled garden” approach. On Android, it can lead to the silent installation of an APK that appears to be from the Google Play Store, further misleading the user.

Phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home screens, while on Android the PWA is installed after confirming custom popups in the browser. The technique was first disclosed in Poland in July 2023 and later observed in the Czech Republic by ESET researchers, with additional cases targeting banks in Hungary and Georgia.

“Insidiously, installing a PWA/WebAPK application does not warn the victim about installing a third-party application. On Android, these phishing WebAPKs even appear to be installed from the Google Play Store.”, the report published by ESET. “Most of the observed applications were aimed at customers of Czech banks, but we also saw a phishing app targeting a Hungarian bank and another one targeting a Georgian bank.”

Analysis of the C2 servers and backend infrastructure used in these attacks revealed that the campaigns were executed by two different threat actors.

The phishing campaigns observed by ESET targeted mobile users via three different URL delivery methods: automated voice calls, SMS messages, and social media malvertising. The automated calls warned users about outdated banking apps and sent a phishing URL via SMS after users followed the prompts. SMS campaigns randomly sent phishing links to Czech phone numbers. Social media malvertising included ads on platforms such as Instagram and Facebook, targeting specific demographics with calls to action. When clicking on these URLs, victims were redirected to phishing pages that mimicked official app stores, such as Google Play or Apple Store.

Attackers attempt to trick victims into installing a fake “new version” of their banking app. Depending on the campaign, clicking the install/update button triggers the installation of a malicious app directly on the victim’s phone.

For Android users, this can be a WebAPK, while for both iOS and Android users, it can be a Progressive Web Application (PWA). The installation process does not trigger any browser warnings about unknown apps, abusing Chrome’s WebAPK technology. iOS users are presented with a popup that mimics native prompts to add the phishing PWA to their home screen, without any warning. After installing the apps, victims are asked to enter their banking details, which are then sent to the C2 servers.

The experts noted that the campaigns used two different C2 infrastructures, suggesting that two police groups carried out the PWA/WebAPK phishing campaigns against Czech and other banks.

One group used a Telegram bot to log information entered via the official API in a Telegram group chat, while another group used a traditional C2 server with an administrative panel, linked to an NGate Android malware campaign.

“We identified a new phishing method that combines well-established social engineering methods with the cross-platform technology of PWA applications. Cases were also found targeting Android users, specifically via a copycat page of the targeted app’s Google Play Store page and using WebAPK technology. Most of the known cases occurred in the Czech Republic, with only two phishing applications appearing outside this region (in Hungary and Georgia),” concludes the report published by ESET. “We expect to see more copycat applications being created and distributed, as it is difficult to distinguish legitimate apps from phishing ones once installed.”

Follow me on Twitter: @securityaffairs And Facebook And Mastodon

Pierluigi Paganini

(Security matters – hacking, progressive web applications (PWA))