Be careful what you pwish for – Phishing in PWA applications

This blog post outlines a sophisticated phishing campaign targeting mobile users, notably clients of a prominent Czech bank. This method stands out due to its ability to install phishing applications without the need for users to permit third-party app installations, signaling a potential breach of established security assumptions, particularly for iOS users. The observed tactics include the use of Progressive Web Applications (PWAs) and, for Android users, WebAPKs, which effectively disguise themselves as legitimate banking applications.

The campaigns were reported to have started in July 2023 and involved the installation process being disguised as routine updates to mobile banking applications. For iOS devices, the phishing approach required users to add a PWA to their home screens, while Android users were prompted via custom browser pop-ups. On both systems, these counterfeit apps closely mimic the genuine banking applications, undermining users’ ability to differentiate them.

The tactics employed in these campaigns combined standard phishing methods—such as social engineering through SMS messages and social media ads—with novel delivery techniques. The phishing campaigns took advantage of scams disguised as automated voice alerts, warning victims about outdated banking apps and directing them to phishing links. Simultaneously, advertisers on social platforms like Facebook and Instagram created malicious ads that socially engineered users into clicking phishing links.

Victims that clicked the links were directed to high-quality imitation websites resembling the official Google Play store for banking applications. In some cases, upon clicking the install button, a phishing WebAPK or PWA would seamlessly install on the user’s device, bypassing conventional warnings about unknown apps. This exploitation of browser technology allowed attackers to avoid the typical safeguards associated with app installations from untrusted sources.

Once installed, the counterfeit app would prompt users to enter their internet banking credentials directly, which were then forwarded to the attackers’ command and control (C&C) servers. Critical observations indicated that various phishing ads and websites were deployed in bulk to increase distribution efficiency, with each ad seemingly targeting a specific demographic.

The campaigns analyzed by ESET analysts revealed two separate threat actor groups orchestrating the attacks, as evidenced by the diversity in C&C infrastructure used. One group was detected utilizing a Telegram bot to log entered credentials, while another relied on a traditional server setup for data collection. This distinction indicates a decentralized approach to the phishing operations, allowing each group to employ different tactics for data exfiltration.

Technical analysis of the PWA and WebAPK technologies underscored how these tools enable threat actors to create near-identical versions of legitimate apps. PWAs are particularly versatile, functioning across multiple platforms without requiring installation from traditional app stores, making them a tool of choice for phishing attempts. Additionally, WebAPKs, generated by Chrome, appear as native apps without showing standard installation warnings.

ESET’s findings reveal a timeline of campaign development, from the initial phishing attempts in November to the emergence of WebAPKs shortly thereafter. Their analysis confirmed that all sensitive information obtained through research was swiftly reported to impacted banks to mitigate the risks to victimized clients. Furthermore, they engaged in negotiations for the removal of malicious domains and infrastructures employed in these campaigns.

In conclusion, this post emphasizes the ongoing evolution of phishing techniques and highlights the challenges posed to mobile security—a reality further complicated by the indistinguishability of phishing apps from credible applications. The methods described illustrate a concerning direction for mobile phishing, and vigilance among mobile users remains critical.