Mobile users in the Czech Republic are being targeted by a new phishing campaign that uses a progressive web application (PWA) in an attempt to steal their bank account credentials.
According to the Slovak cyber security company ESET, the target of the attacks was the Czech Československá obchodní banka (CSOB), as well as the Hungarian OTP Bank and the Georgian TBC Bank.
“Phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home screens, while on Android PWAs are installed after validating custom browser pop-ups,” security researcher Yakub Osmani. said.
“At this point in both operating systems, these phishing programs are largely indistinguishable from the real banking programs they mimic.”
What’s notable about this tactic is that it tricks users into installing a PWA or even a WebAPK in some cases on Android from a third-party site without requiring specific sideloading permission.
Analysis of the Command and Control (C2) servers and backend infrastructure in use reveals that there are two different threat actors behind the companies.
These websites are distributed through automated voice calls, SMS messages and malicious social media ads through Facebook and Instagram. Voice prompts warn users of an outdated banking app and ask them to select a digital option, followed by a phishing URL.
Users who end up clicking on the link are presented with a similar page that mimics the target banking app’s listing on the Google Play Store or a mock site for that app, ultimately leading to the “installation” of the PWA or WebAPK app under the guise of an app update.
“This crucial installation step bypasses traditional browser warnings about ‘installation of unknown programs’: this is standard behavior of Chrome’s WebAPK technology, which is abused by attackers,” Osmani explained. “Furthermore, installing WebAPK does not generate any ‘installation from an untrusted source’ warnings.”
For those using Apple iOS devices, instructions are provided to add a fake PWA to your home screen. The ultimate goal of the campaign is to capture banking credentials entered in the app and transmit them to an attacker-controlled C2 server or a Telegram group chat.
ESET said it detected the first instance of PWA phishing in early November 2023, with subsequent waves detected in March and May 2024.
The disclosure comes as cyber security researchers discovered a new variant Gigabud An Android trojan distributed through phishing websites impersonating the Google Play Store or websites impersonating various banks or government organizations.
“The malware has various capabilities, such as collecting data on the infected device, stealing banking credentials, collecting screen recordings, etc.,” Broadcom-owned Symantec said. said.
This also goes for Silent Push’s discovery with 24 different control panels for various Android banking trojans such as ERMAC, BlackRock, Hook, Loot and Pegasus (not to be confused with NSO Group’s spyware of the same name) operated by a threat called Duke Eugene.
