A new study has found that banking customers have been targeted by a new method of phishing attacks.
A report by ESET They found that the attacks were primarily targeting iPhone and Android users, causing them to unwittingly download progressive web apps (PWAs) disguised as genuine apps.
PWAs are websites designed to behave like a standalone app, with a seemingly verified image through the use of native system prompts. PWAs bypass the need for the user to allow third-party installation, as iOS phishing sites pose as landing pages for popular apps and direct victims to add the PWA to their home screen. Ultimately, PWAs behaved like a regular mobile app, but by bypassing third-party installation authorization on Android, this led to the silent installation of Android Package Kit (APK), which appeared to the user to be installed through the Google Play Store.
Delivery Methods
The campaign used three different URL delivery mechanisms (voice call, SMS delivery and malvertising) and targeted customers in the Czech Republic, Hungary and Georgia.
Depending on the campaign, the install/update button would trigger a malicious app download directly to the user’s phone, either in the form of a WebAPK (for Android devices) or a PWA. This bypassed the usual browser warnings about “installing unknown apps.”
The voice call warned the victim about a supposedly outdated banking app and instructed the user to select a numbered option. Once they did, they were sent a phishing URL via text message.
The SMS campaign sent messages containing phishing links to Czech numbers indiscriminately, while the advertising campaign consisted of ads posted on Meta platforms (such as Facebook and Instagram). The ads contained a call to action to compel victims, such as a limited-time offer for those who “download an update below.”
Recent reports show that similar threat actors are using counterfeit versions of popular Android apps, with increasingly sophisticated methods. Eset expects to see imitations of these apps, so we recommend staying alert. The best way to keep your data safe is to download apps only from legitimate sources and be wary of links sent by people you don't know.