Security researchers have discovered a novel phishing campaign that uses a PWA (Progressive Web App) to attempt to steal users’ banking account credentials. The campaign targets the Czech-based Československá obchodní banka (CSOB), the Hungarian OTP Bank, and the Georgian TBC Bank.
The technique was first disclosed by CSIRT KNF in Poland in July 2023 and later observed in Czechia by ESET analysts working on the Brand Intelligence service. According to their technical report, these phishing websites are present on iOS and Android and are “largely indistinguishable from the real banking apps that they mimic.”
The installation mechanism differs slightly between iOS and Android users. On iOS, victims are instructed to add a PWA to their home screen, while on Android, the PWA is installed after confirming custom pop-ups in the browser. Android users are at a higher risk here, as WebAPKs can also be installed on their devices.
To make matters worse, installing a PWA or WebAPK application doesn’t warn the users about installing a third-party app. Additionally, with a few extra commands, these phishing WebAPKs can even appear to have been installed from the Google Play store, lending them extra legitimacy.
The malicious website apps are distributed via automated phone calls, SMS messages, and even social media malvertising on Facebook and Instagram. All ads contain a call to action urging viewers to download an updated version of their banking apps. Clicking the link provided takes them to a lookalike page of the bank app’s official Google Play listing, tricking users into downloading the apps.
At the moment, most targeted victims are clients of Czech banks. However, as mentioned above, similar apps targeting Hungarian and Georgian banks have also been discovered. Based on the observed Command and Control (C2) servers and backend infrastructures, researchers think there might be two different threat actors behind the attacks. Regardless, operator panels on different domains have been discovered, and victim banks have been notified to protect their clients.
In the News: OpenAI gains access to Condé Nast’s publications in a new deal