A novel type of phishing attack has been discovered, targeting both Android and iOS users. This attack combines traditional social engineering techniques with the use of Progressive Web Applications (PWAs) and WebAPKs, making it a significant threat to mobile users.
The attack was first identified in November 2023, and since then, multiple cases have been reported, primarily targeting clients of Czech banks. However, cases have also been observed in Hungary and Georgia, indicating a broader reach.
The attackers use various delivery mechanisms, including automated voice calls, SMS messages, and social media malvertising. The malicious ads, often featuring the bank’s official mascot and logos, entice victims to visit a phishing link, which leads to a convincing fake Google Play page.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
The page checks for the usage of a mobile client via the User-Agent HTTP header, and if the victim is on a mobile device, the “Install” button prompts the victim for installation via a pop-up.
The phishing application is installed as a PWA or WebAPK, which allows it to run on multiple platforms and devices. PWAs are essentially websites bundled into a standalone application, with the ability to be launched from the menu bar or home screen.
WebAPKs, on the other hand, are an upgraded version of PWAs, generated by the Chrome browser as a native Android application.
The installed phishing app is nearly indistinguishable from the real banking app, with the same logo and design. Once opened, the app leads to a phishing login page, where victims are prompted to submit their internet banking credentials. The entered information is sent to the attackers’ Command and Control (C&C) servers.
The C&C infrastructure used by the attackers is quite sophisticated, with two distinct groups operating the phishing campaigns. One group uses a Telegram bot to log all entered information into a Telegram group chat via the official Telegram API, while the other uses a traditional C&C server with an administrative panel.
The attackers have been able to evade detection by using multiple domains and preparing new malicious campaigns. According to ESET researchers, some of the C&C servers have been deactivated, and the affected banks have been notified.
To protect yourself from this type of phishing attack, it is essential to be cautious when installing new apps, especially those that ask for sensitive information. Always verify the authenticity of the app and the website from which it is downloaded. Additionally, keep your device and browser up to date with the latest security patches.
This new type of phishing attack poses a significant threat to Android and iOSAndroid and iOS users. By combining traditional social engineering techniques with the use of PWAs and WebAPKs, attackers have created.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces