FacebookTwitterLinkedIn

Banking Credentials Stolen Via PWA Apps

Karolis Liucveikis Written by on

Threat actors have begun using progressive web applications (PWA) to impersonate banking apps with the goal of tricking victims into unwillingly handing over online banking credentials.

Banking Credentials Stolen Via PWA Apps

PWAs have been defined as,

...an app that's built using web platform technologies, but that provides a user experience like that of a platform-specific app…Like a website, a PWA can run on multiple platforms and devices from a single codebase. Like a platform-specific app, it can be installed on the device, can operate while offline and in the background, and can integrate with the device and with other installed apps.

In practice, this app design methodology is used to create cross-platform applications that can be installed directly from the browser and offer a native-like experience through features like push notifications, access to device hardware, and background data syncing.

Threat actors have adapted this methodology as malicious apps can be created for phishing. Further, malicious PWAs can bypass app installation restrictions, gain access to high-risk permissions on the device without having to serve the user a standard prompt that could raise suspicion, and evade detection by installed security measures.

The technique was first seen targeting Polish users in 2023, followed by a campaign targeting Czech users. This technique can be used to target either Android or iOS users. Security firm ESET is currently tracking three distinct campaigns using this technique.

In ESET's article, the details of all three campaigns, one targeting Czech users, one targeting the Hungarian financial institution OTP Bank, and the other targeting TBC Bank in Georgia, have been provided to the public.

The attack campaigns seen by ESET security researchers have three mechanisms to deliver malicious URLs, which kick off the infection chain. The three mechanisms relied on by threat actors include automated voice calls, SMS messages, and social media malvertising.

Spreading malicious links via social media involved threat actors registering advertisements on Meta platforms like Instagram and Facebook. These ads included a call to action, like a limited offer for users who clicked a download link.

ESET researchers noted that this technique allows threat actors to specify the target audience by age, gender, or other filters using the Meta advertising tools. The advertisements would then appear in a victim's social media feed.

If the recipient of a voice call, SMS, or malicious advertisement clicked the link, they would be presented with either a phishing page impersonating the Google Play Store or the Apple Store, depending on their device. Researchers saw only Google Play versions in the wild, but redirecting them to the Apple Store would be well within the malware's capabilities.

Users are then asked to install a new version of the banking application. If clicked, this will then download the malicious application from the website to harvest the victim's banking credentials.

The installation of a malicious application from the website directly on the victim's phone, either in the form of a WebAPK for Android users only or as a PWA for iOS and Android users if the campaign is not WebAPK-based.

This crucial installation step bypasses traditional browser warnings of "installing unknown apps." It is important to note that this is the default behavior of Chrome's WebAPK technology, which the attackers abuse.  

For iOS users, the process is a little different. An animated pop-up instructs victims how to add the phishing PWA to their home screen. The pop-up copies the look of native iOS prompts, hoping to deceive the victim into believing the application they are about to install is legitimate. Ultimately, even iOS users are not warned about adding a potentially harmful app to their phones.

Use of Telegram Bots

In one of the attack campaigns, a Telegram bot was used to log all entered information into a Telegram group chat via the official Telegram API. While another used a traditional command and control server setup complete with an administrative panel.

On the use of Telegram bots, researchers stated,

All stolen login information was logged via a backend server, which then sent the user’s entered banking login data into a Telegram group chat. HTTP calls to send messages to the threat actor’s group chat were made via the official Telegram API. This is not a new technique and is used in various phishing kits.

In conclusion, it was noted,

We identified a novel method of phishing, combining well-established methods of social engineering along with the cross-platform technology of PWA applications. Cases targeting Android users, specifically via a copycat page of the targeted app’s Google Play store page and using WebAPK technology, were also found…Most of the known cases have been inside Czechia, with only two phishing applications appearing outside of this region (in Hungary and Georgia)...Because two drastically different C&C infrastructures were employed, we have determined that two different groups are responsible for the spread of the phishing apps.

ESET researchers further believe that other threat actors and groups will begin copying this technique in the near future. This is primarily due to the difficulty in detecting a malicious app from a legitimate one once it is installed on an Android or iOS device.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog