Criminals are misusing Android and iOS web apps for phishing

Typically, when it comes to breaches on Android and iOS, it happens via apps that you can also encounter in the Apple App Store or Google Play Store. On the one hand, criminals try to offer dangerous apps through these app stores, or distribute them via separate installation files. ESET is new this timeAttack methodIt turns out that it uses what are called Progressive Web Apps (PWAs). These are web-based apps that you install via your browser and offer similar functionality to regular mobile apps, albeit in a smaller package.

Mobile Banking Applications

ESET says the ease with which users can install such apps has now dawned on criminals as well. Cybercriminals are taking advantage of this by tricking victims into installing such an app via robocalls, text messages and malicious social media ads. They are then redirected to a link that takes them to a fake version of the App Store or Play Store in a browser of their choice. From there, they can then unsuspectingly install the dangerous web app.

Such attacks typically involve rogue banking apps. After the app is installed, an icon also appears on the home screen, often from a trusted source. The hope is that users will then try to log into that banking app. The hackers see exactly what you’ve entered, and can then access your bank account and take the money.

App Store Security

What makes these attacks so dangerous is that they are almost impossible to prevent. PWAs are not verified before you can install them, which is the case with apps in mobile app stores. While you can bypass this security quite easily on Android, it’s a different story on iOS. Even for alternative app stores in the EU, Apple has strict security rules in place. There are no similar rules for PWAs, so users can still be misled.

Equally dangerous is the fact that PWAs are indistinguishable from regular mobile apps. The icons are often identical to those of mobile apps, and sometimes the appearance of the app itself is the same. In addition, by using logos of well-known brands, users are more likely to think that this is the “real app”.

It is not known exactly how many victims this type of attack has already caused. ESET says the technology has already been deployed in Poland, the Czech Republic, Hungary and Georgia. At the moment, it seems to be mainly focused on Eastern Europe, although the technology could also be used in our region. If you fall victim to this type of attack, the first thing you should do is contact your bank or Card Stop and report it.