Cybersecurity researchers have uncovered a novel phishing campaign targeting mobile users in the Czech Republic. The attacks, which have also been observed targeting the Hungarian OTP Bank and the Georgian TBC Bank, leverage Progressive Web Applications (PWAs) in an attempt to steal users’ banking account credentials.
According to Slovak cybersecurity firm ESET, the phishing websites instruct victims on iOS devices to add the PWA to their home screens, while on Android, the PWA is installed after users confirm custom pop-ups in their browsers. Jakub Osmani, a security researcher at ESET, explained that “at this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic.”
Bypassing Traditional Security Measures
This tactic is particularly noteworthy because users are deceived into installing a PWA, or in some cases, a WebAPK on Android, from a third-party site without having to allow side-loading specifically. This crucial installation step bypasses traditional browser warnings about “installing unknown apps,” as the attackers abuse the default behavior of Chrome‘s WebAPK technology.
Furthermore, the installation of a WebAPK does not trigger any “installation from an untrusted source” warnings, making it even more challenging for users to detect malicious intent.
Automated Phishing Campaigns
The phishing websites are distributed through various channels, including automated voice calls, SMS messages, and social media malvertising via Facebook and Instagram. The voice calls warn users about an out-of-date banking app and prompt them to select a numerical option, after which the phishing URL is sent.
Once users click on the link, they are presented with a lookalike page that mimics the Google Play Store listing for the targeted banking app or a copycat site for the application. This ultimately leads to the “installation” of the PWA or WebAPK app under the guise of an app update.
Capturing Banking Credentials
For iOS users, the instructions guide them to add the bogus PWA app to their home screens. The end goal of these campaigns is to capture the banking credentials entered on the app and exfiltrate them to an attacker-controlled command-and-control (C2) server or a Telegram group chat.
ESET recorded the first phishing-via-PWA instance in early November 2023, with subsequent waves detected in March and May 2024.
Emerging Android Malware Threat
The disclosure comes as cybersecurity researchers have uncovered a new variant of the Gigabud Android trojan that’s spread via phishing websites mimicking the Google Play Store or sites impersonating various banks or governmental entities. Broadcom-owned Symantec reported that the malware has various capabilities, including the collection of data about the infected device, exfiltration of banking credentials, and the collection of screen recordings.
Additionally, Silent Push’s discovery of 24 different control panels for a variety of Android banking trojans, such as ERMAC, BlackRock, Hook, Loot, and Pegasus (not to be confused with NSO Group’s spyware of the same name), operated by a threat actor named DukeEugene, further highlights the growing threat landscape in the mobile banking ecosystem.
The novel phishing campaigns targeting mobile users in the Czech Republic, as well as the Hungarian OTP Bank and the Georgian TBC Bank, demonstrate the evolving tactics employed by cybercriminals to steal banking credentials.
By leveraging Progressive Web Applications and bypassing traditional security measures, these attackers are creating new challenges for users and financial institutions alike. Vigilance, education, and robust security measures are crucial to mitigate the impact of such sophisticated phishing attacks.