Introduction
A sophisticated phishing campaign has emerged, targeting mobile users in the Czech Republic by using a new technique that leverages Progressive Web Applications (PWAs). The primary goal of these attacks is to steal banking credentials by mimicking legitimate banking apps. The victims include customers of the Czech-based Československá obchodnà banka (CSOB), Hungary's OTP Bank, and Georgia's TBC Bank. The cybersecurity firm ESET has uncovered the details behind this campaign, revealing how attackers are deceiving users into installing fake banking apps.
Phishing Tactics Targeting Mobile Users
The phishing campaign employs different methods to target iOS and Android users. On iOS, victims are tricked into adding a PWA to their home screens, while Android users are prompted to install the PWA after interacting with pop-ups in their browsers. These apps are designed to resemble legitimate banking applications, making it difficult for users to detect the fraud. Unlike traditional phishing, this method circumvents the usual security warnings that users encounter when downloading apps from unofficial sources.
How the Attack Works
What sets this phishing technique apart is the use of PWAs and WebAPKs, which allows attackers to install these malicious apps without requiring users to enable side-loading or grant explicit permissions. The phishing websites are distributed through various channels such as automated voice calls, SMS, and social media ads, including platforms like Facebook and Instagram. Once users follow the provided links, they are redirected to a fraudulent page that imitates the Google Play Store or the banking app’s website. From there, they unknowingly install the fake app, believing they are updating their banking software.
Abuse of WebAPK Technology
One of the critical aspects of this attack is the abuse of Chrome's WebAPK technology, which enables the installation of web apps without triggering traditional warnings, such as "installing unknown apps" alerts. This is part of Chrome’s default behavior, which the attackers exploit to avoid detection. On iOS, victims are given instructions to add the bogus app to their home screens, further adding to the illusion of legitimacy. The ultimate aim of the campaign is to steal the banking credentials users input into these apps, which are then sent to the attackers’ command-and-control (C2) servers or a Telegram group.
Investigation and Findings
ESET's research has shown that two distinct threat actors are behind these phishing attacks. The campaigns were first observed in July 2023, with additional waves occurring in November 2023, March 2024, and May 2024. The attackers use automated voice calls to notify users about supposed issues with their banking apps, urging them to take action, which leads to the phishing site where the fake apps are installed.
Moreover, this attack is part of a broader wave of banking trojans targeting mobile users. Researchers have identified a new variant of the Gigabud Android trojan, which is distributed via phishing websites that imitate Google Play Store listings or governmental websites. The malware collected a wide range of information from infected devices, including banking credentials and screen recordings.
Broader Implications for Mobile Security
These campaigns are not isolated. A separate analysis by Silent Push identified multiple control panels connected to different Android banking trojans such as ERMAC, BlackRock, Hook, and Pegasus (not to be confused with NSO Group's spyware). These trojans are operated by a threat actor known as DukeEugene and have been designed to steal sensitive user information through similar methods.
Conclusion
The rise of phishing campaigns using Progressive Web Applications and WebAPKs highlights the evolving tactics cybercriminals are using to bypass traditional security measures. Mobile users, especially those in the Czech Republic and neighboring countries, must be cautious when interacting with apps and websites, especially when prompted to install updates or new applications. As these attacks grow in sophistication, awareness and vigilance will be key in preventing the theft of sensitive banking credentials.
0 Comments