A new cybercrime campaign detected by analysts at cybersecurity firm ESET is using a different method than other common hacking attempts, consisting of the use of so-called Progressive Web Applications (PWA) to install malware on victims’ smartphones.
This campaign, targeting iPhone and Android users in Hungary, the Czech Republic and Georgia, used PWAs because they are links to websites that appear to be real apps, which can be confusing for some people.
PWAs on a computer are something like links to web pages that can be installed on the computer as a shortcut, but are somewhat more complete than a simple link. They offer a more convenient way to use applications, but their activity takes place on the web. From ESET They define them as “applications built with traditional web application technologies that can run on multiple platforms and devices.”
Hackers have used the Android equivalent of PWAs, called WebAPKs, to trick users into thinking they were installing a legitimate app from their bank. The main advantage is that WebAPKs do not require permission to install unknown or third-party apps, as they are not actually apps. However, WebAPKs do install an APK (Android Package Kit) file on the Android system.
Something similar happens on the iPhone, where no warning message is issued to the user about installing the PWA. On iOS, however, the process is somewhat different, as a pop-up is displayed with instructions on how to add the PWA to the home screen.
The victims received a message impersonating their bank, which they received via SMS, voice call or malicious advertising, since the hackers used these three methods as contact channels. In the message, the user was warned that their banking app was out of date, and that it was vitally important to install the new version. By linking to a fake website impersonating the Play Store, the download link for the WebAPK was provided. The victims downloaded this malicious package to their mobile, without receiving a warning from the device because it was a WebAPK. If they entered and filled in their banking credentials, the cybercriminals would instantly take over their account.
However, WebAPKs should be easily distinguishable from regular apps because they include the icon of the user’s Internet browser in their logo, as can be seen in the image above.
Facebook and Instagram Ads
One of the ways hackers contacted the attackers, as we said, was through advertisements on Meta’s social networks, such as Facebook or Instagram. This is not the first time that a cybercriminal group has been able to sneak advertising into these platforms, despite being a genuine scam. These ads encouraged users to download the file with calls to action, such as one in which they claimed to offer the user discounts or offers if they hurriedly updated their banking app.
ESET expects more fake apps to be created and distributed in the form of WebAPKs, as after installation, “it is difficult to separate legitimate apps from phishing ones.”