Android and iOS users targeted with novel banking app phishing campaign


It looks just like a banking app, but it’s actually a malicious website packaged as an app. Threat actors are bypassing iOS and Android defenses in novel ways, with a new campaign affecting users in Eastern Europe.

iOS typically doesn’t allow third-party apps, and Android users need to explicitly approve them. However, cybercriminals have found a way to bypass these restrictions without any warnings using so-called Progressive Web Applications (PWAs).

PWAs are not real apps but appear like genuine ones in the device’s app launcher. Essentially, they launch a web page packaged as an app.

That’s all cybercriminals need. ESET has found that threat actors increasingly create fake banking “apps,” directing victims to phishing sites indistinguishable from real banking apps.

A massive malicious campaign has hit Eastern Europe, urging users to “update” their banking apps. Czech citizens are being bombarded with automated calls, SMS messages, and malicious ads on social media. Similar campaigns were previously observed in Poland, Hungary, and Georgia.

“This technique is noteworthy because it installs a phishing application from a third-party website without the user having to allow third-party app installation. For iOS users, such an action might break any “walled garden” assumptions about security,” ESET warns in a report.

How does the attack work?

Firstly, scammers need users to click on malicious links indiscriminately delivered via SMS or social media malvertising. They can also be spread via automated calls warning about out-of-date banking apps – users are asked to select an option on the numeric keyboard, and then they receive a phishing URL via SMS.

The malicious ads, which included limited offers for users who “download an update now,” were posted on Instagram and Facebook. If the user clicks the link, they’re presented with a high-quality imitation of the Google Play store page or targeted banking website copycat.

malicious-add-eset

The websites appear legitimate and use visuals from well-known applications, and only the website address reveals malicious intentions.

ios-malicious2

“From here, victims are asked to install a “new version” of the banking application,” ESET writes. “Clicking on the install/update button launches the installation of a malicious application from the website directly on the victim’s phone.”

The fake app can have two forms. For Android users, it can be a WebAPK or PWA, and for iOS users, it can be only be PWA. They both add icons in the manu bar or home screen, mimicking a real app. If launched, they load the web page. WebAPK could be considered an upgraded version of PWA, as it comes in an APK form.

“Insidiously, installing a PWA/WebAPK application does not warn the victim about installing a third-party application.”

Once the user presses install or update, the fake app appears on the device’s home screen. Opening it leads to a phishing login page.

fake-app

ESET noted that even if an Android user checks the application’s info tab, it will state that the app was downloaded from the Google Play Store, which is the default behavior for all WebAPK apps.

At least two threat actors utilizing the novel method

ESET researchers also discovered two drastically different control and command (C&C) infrastructures employed to scam people. They assume that two different groups are responsible for spreading fake apps.

“One group used a Telegram bot to log all entered information into a Telegram group chat via the official Telegram API, and another used a traditional C&C server with an administrative panel,” ESET said.

Researchers contacted relevant banks and reported sensitive information of compromised clients. They also negotiated the takedowns of multiple phishing domains and C&C servers.

More copycat applications are expected to be created and distributed, as this method allows malicious actors to appear like legitimate apps on user devices.

What’s even more worrisome is that browser APIs allow PWAs the right to request access to microphone, geolocation, camera, and all other browser-supported functions.

“Spyware PWAs could be on the radar,” ESET warns.