New Mobile Phishing Threat Targets Bank Users with Progressive Web Apps
Published:
Cybercriminals have found a new way to target mobile users through sophisticated phishing campaigns that exploit Progressive Web Applications (PWAs). These attacks are particularly dangerous because they bypass traditional security warnings and can closely mimic legitimate banking apps on both Android and iOS devices.
How the Attacks Unfold
The phishing campaigns begin with the delivery of malicious links through automated calls, SMS messages, or deceptive social media ads. Victims are often tricked into thinking their banking app is outdated or are enticed by fake promotions. Once the user clicks on the link, they are directed to a fake Google Play Store or Apple App Store page, where they are prompted to install what appears to be an update to their banking app.
Figure 1. Example copycat installation page. Source: ESET
On Android devices, this installation occurs through a WebAPK, a native-like application generated by the Chrome browser that closely resembles a legitimate app. This method bypasses the usual warnings about installing apps from unknown sources, making it especially deceptive. iOS users, on the other hand, are instructed to add a PWA to their home screen, which similarly mimics a legitimate banking app.
Figure 2. PWA phishing flow. Source: ESET
Why PWAs Are Effective for Phishing
PWAs are designed to work across multiple platforms, making them a versatile tool for attackers. They can be installed directly from the browser and offer a native app-like experience, which includes access to device features such as geolocation, the camera, and the microphone. These apps can be updated or modified by attackers without the user’s knowledge, allowing the phishing campaign to adapt over time.
The cross-platform nature of PWAs enables cybercriminals to target a broader audience with a single phishing campaign. This, combined with the ability to bypass app store restrictions and avoid security prompts, makes PWAs a powerful tool in the hands of threat actors.
The Growing Threat
These phishing campaigns have primarily targeted users in Central and Eastern Europe, with significant activity observed in the Czech Republic, Hungary, and Georgia. Two distinct threat groups are believed to be behind these attacks, each employing different methods for collecting stolen credentials—either through traditional command-and-control servers or via Telegram, a popular messaging app.
The rise of PWA-based phishing attacks is an alarming trend, as it demonstrates how cybercriminals are continually evolving their tactics to bypass security measures. For users, this means being extra cautious when installing apps or updates, especially when prompted by links received via SMS, email, or social media.
As more attackers realize the potential of PWAs, these types of phishing campaigns are expected to increase. It is crucial for users to stay informed and vigilant, only downloading apps from trusted sources and verifying the authenticity of any updates before installation.
Award-winning mobile security
Certo's industry-leading spyware detection tools for iPhone and Android are trusted by millions worldwide