The hackers have found a new method to steal banking credentials from iOS and Android users by exploiting Progressive Web Application(PWAs). These threat actors now targeting iOS and Android users with Phishing using PWAs to impersonate legitimate banking apps, making it easier to steal sensitive information such as banking credentials. This alarming phishing attack trend has recently been observed targeting users in Poland, the Czech Republic, Hungary, and Georgia, raising concerns about the security of mobile banking on both iOS and Android platforms.

Rise of Phishing Campaigns using PWAs

Progressive Web Apps (PWAs) are cross-platform applications that can be installed directly from a web browser, offering a native-like experience. These PWAs apps can send push notifications, access device hardware, and sync data in the background, making them highly convenient for users. However, these same features make PWAs an attractive tool for hackers. In phishing by using PWAs, cybercriminals can bypass app installation restrictions on iOS and Android devices, evade detection, and gain risky permissions without alerting users.

The technique was first spotted in the wild in July 2023 in Poland, and by November of the same year, similar attacks were reported in the Czech Republic. According to cybersecurity firm ESET report, hackers have been targeting users of the Hungarian financial institution OTP Bank and Georgia’s TBC Bank through two distinct campaigns. While these campaigns share a common method, they are believed to be operated by different groups, with one using a custom command-and-control (C2) infrastructure and the other logging stolen data via Telegram.

How do Hackers target Victims?

Hackers target victims by using various methods and cyber attacks into installing malicious PWAs disguised as legitimate banking apps. These methods include automated Calls, SMS Phishing (smishing), and malvertising campaigns on platforms like Facebook. For instance, users may receive a fake message claiming their banking app is outdated and needs an urgent update, prompting them to download the malicious PWA.

In one case, cybercriminals use social media ads featuring the official mascot of the targeted bank to create a sense of legitimacy. The ads promoted limited-time offers, such as monetary rewards, for installing a supposed app update. Once the victim clicks on the ad, they are redirected to a fake Google Play or App Store page that mimics the real thing. The malicious PWA is then installed on the victim’s device, often without triggering the usual security prompts that might raise suspicion.

Use of PWAs in Phishing Campaigns

The use of PWAs Progressive Web Apps in phishing campaigns presents several unique dangers. PWAs are designed to work across multiple platforms, allowing hackers to target a broader audience with a single phishing campaign. Additionally, PWAs can closely mimic the appearance of native apps, making it nearly impossible for users to distinguish between a legitimate app and a malicious PWA.

One of the key benefits for hackers using PWAs is their ability to bypass the security measures of app stores like Google Play and Apple’s App Store. Since PWAs can be installed directly from a web browser, users are not alerted by the “install from unknown sources” warnings that typically accompany the installation of third-party apps. Moreover, PWAs can access various device systems, such as geolocation, camera, and microphone, through browser APIs, without needing to request permissions from the mobile OS.

Hackers can also update or modify these PWAs without user interaction, allowing them to adjust their phishing tactics on the fly for greater success. This makes PWAs a particularly dangerous tool in the hands of cybercriminals, as they can continue to evolve and evade detection long after the initial installation.

Conclusion

The increasing use of Progressive Web Apps in phishing campaigns targeting iOS and Android users is a concerning trend that poses significant risks to mobile banking security, as it is an on-going cyber attack which can affect Hong Kong and other regions. As hackers continue to exploit these cross-platform applications, it’s crucial for users and businesses to remain vigilant.

If you’re using mobile banking apps, be cautious of unsolicited messages or ads prompting you to install updates or new apps, especially those that don’t come from official app stores. For urgent or normal network and cyber security assistance, contact us. We offer FREE 1:1 consultation and help small-to-large Hong Kong and China companies to scale their online security with the team of top-rated cyber experts. For more information on how to protect yourself from online fraud, visit our guide on preventing online fraud and Data Security for Hong Kong.

Did you find this article useful? Support us on LinkedIn, X (Twitter) and Facebook.