Mobile users in the Czech Republic are the target of a new type of phishing campaign that uses a progressive web application (PWA) to steal their bank account information.
According to the Slovak cybersecurity company ESET, the attacks targeted the Czech Československá obchodní banka (CSOB), as well as the Hungarian OTP Bank and the Georgian TBC Bank.
“The phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home screens, while on Android the PWA is installed in the browser after confirming custom pop-ups,” said security researcher Jakub Osmani.
“Currently, these phishing apps on both operating systems are almost indistinguishable from the real banking apps they imitate.”
What’s notable about this tactic is that it tricks users into installing a PWA or, in some cases, even WebAPKs on Android from a third-party site without explicitly allowing sideloading.
An analysis of the command-and-control (C2) servers used and the backend infrastructure shows that there are two different threat actors behind the campaigns.
These websites are distributed via automated voice calls, SMS messages, and social media malvertising through Facebook and Instagram. The voice calls warn users about an outdated banking app and ask them to select a numeric option, after which the phishing URL is sent.
Users who click on the link are presented with a page that resembles the Google Play Store listing for the affected banking app or a copycat site for the application, ultimately leading to the “installation” of the PWA or WebAPK app under the guise of an app update.
“This crucial installation step bypasses traditional browser warnings that indicate ‘installation of unknown apps’: this is the default behavior of Chrome’s WebAPK technology that is abused by the attackers,” Osmani explained. “In addition, installing a WebAPK does not generate any of the ‘installation from an untrusted source’ warnings.”
For users of Apple iOS devices, there are instructions on how to add the fake PWA app to the home screen. The end goal of the campaign is to intercept the banking details entered in the app and exfiltrate them to a C2 server controlled by the attacker or a Telegram group chat.
ESET reported that it registered the first phishing attack via PWA in early November 2023. Subsequent waves were detected in March and May 2024.
The revelation came after cybersecurity researchers discovered a new variant of the Gigabud Android Trojan that is being distributed through phishing websites that imitate the Google Play Store or through websites that impersonate various banks or government agencies.
“The malware has various capabilities such as collecting data about the infected device, exfiltrating banking information, collecting screen recordings, etc.,” said Symantec, a Broadcom company.
It also follows Silent Push’s discovery of 24 different control panels for a variety of Android banking Trojans such as ERMAC, BlackRock, Hook, Loot and Pegasus (not to be confused with NSO Group’s spyware of the same name), operated by a threat actor known as DukeEugene.
