Beware! New Phishing Technique Targets Mobile Banking Users with Sophisticated Web Applications
A new and concerning phishing technique has emerged, posing a serious threat to mobile banking users on both iOS and Android platforms. According to a recent warning from anti-malware vendor ESET, cybercriminals are leveraging Progressive Web Applications (PWAs) and WebAPKs to bypass security measures and steal sensitive banking credentials.
Table of Contents
How the Attack Works
This new phishing campaign takes advantage of the flexibility of PWAs, which are web applications designed to look and function like native apps. PWAs don’t require users to enable third-party app installations, making them appear less suspicious. Cybercriminals are instructing iOS users to add these PWAs to their home screens, while Android users are asked to confirm custom pop-ups in their browsers, leading to the installation of these deceptive applications.
For Android users, the threat escalates with the use of WebAPKs. These are essentially upgraded PWAs that mimic the appearance and behavior of legitimate apps, often fooling users into believing they’ve downloaded them from Google Play. ESET’s research highlights that these WebAPKs don’t trigger the usual security warnings, even if the user hasn’t permitted the installation of apps from unknown sources. Once installed, these malicious applications blend seamlessly into the user’s device, displaying icons and information that suggest they are official banking apps.
Distribution Methods
The distribution of these phishing applications is orchestrated through a combination of automated voice calls, social media malvertising, and SMS messages. Users are lured into clicking links that direct them to fake websites resembling official app stores or the targeted bank’s website. They are then prompted to install what appears to be an update for their mobile banking app.
Upon installation, these apps request the user’s login credentials under the guise of accessing their banking account. Unbeknownst to the user, this sensitive information is immediately sent to the attackers’ command-and-control (C&C) servers.
The Threat Landscape
ESET’s investigation indicates that this phishing campaign likely started in November 2023, with the C&C servers becoming active by March 2024. While the primary focus has been on mobile banking users in the Czech Republic, the attacks have also targeted individuals in Hungary and Georgia. ESET has identified two separate threat actors behind these attacks, each using similar techniques to compromise users.
Moreover, there’s a growing concern that these attackers will expand their arsenal by developing more copycat applications. The sophistication of these PWAs and WebAPKs makes them particularly dangerous, as they can be nearly indistinguishable from legitimate banking apps.
Protecting Yourself from the Threat
With the rise of such advanced phishing techniques, it’s more critical than ever for users to remain vigilant. Here are some steps you can take to protect yourself:
- Be cautious with app installations: Avoid installing apps that don’t come directly from official app stores. If prompted to install an app or an update via a link, verify its legitimacy first.
- Watch out for unusual requests: Be wary of any app requesting sensitive information, such as login credentials or banking details, especially if it claims to be an update.
- Stay informed: Keep up to date with the latest security news and ensure your device's security software is updated to detect and block these kinds of threats.
This new phishing technique underscores the evolving tactics of cybercriminals and the need for heightened awareness among users. As the line between legitimate and fraudulent applications continues to blur, staying informed and cautious is your best defense.