Hackers are using progressive web applications (PWAs) to impersonate banking apps and steal credentials from Android and iOS users. PWAs are cross-platform applications that can be installed directly from the browser, offering a native-like experience through features like push notifications, access to device hardware, and background data syncing.
Threat actors use this technique in phishing campaigns to evade detection, bypass app installation restrictions, and gain access to risky permissions on the device without raising suspicion. The technique was first observed in Poland in July 2023 and later targeted Czech users.
Cybersecurity company ESET reports two distinct campaigns targeting OTP Bank in Hungary and TBC Bank in Georgia. The campaigns use a range of methods to reach their target audience, including automated calls, SMS messages (smishing), and well-crafted malvertising on Facebook ad campaigns.
The phishing PWA tricked users with fake messages about outdated banking apps, prompting them to install the latest version for security reasons. In other cases, malicious advertisements on social media used official bank mascots to induce a sense of legitimacy and promote limited-time offers like monetary rewards for installing supposedly critical app updates.
PWAs can closely mimic the look and feel of native apps, making it difficult to distinguish them from legitimate applications. They can also gain access to various device systems through browser APIs without requesting permissions, allowing attackers to update or modify the phishing campaign dynamically.
The abuse of PWAs for phishing is a dangerous emerging trend that could gain new proportions as more cybercriminals realize its potential and benefits.
Source: https://www.bleepingcomputer.com/news/security/hackers-steal-banking-creds-from-ios-android-users-via-pwa-apps/