Cellular customers within the Czech Republic are the goal of a novel phishing marketing campaign that leverages a Progressive Net Utility (PWA) in an try and steal their banking account credentials.
The assaults have focused the Czech-based Československá obchodní banka (CSOB), in addition to the Hungarian OTP Financial institution and the Georgian TBC Financial institution, based on Slovak cybersecurity firm ESET.
“The phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home-screens, while on Android the PWA is installed after confirming custom pop-ups in the browser,” safety researcher Jakub Osmani mentioned.
“At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic.”
What’s notable about this tactic is that customers are deceived into putting in a PWA, and even WebAPKs in some instances on Android, from a third-party web site with out having to particularly enable facet loading.
An evaluation of the command-and-control (C2) servers used and the backend infrastructure reveals that two totally different risk actors are behind the campaigns.
These web sites are distributed through automated voice calls, SMS messages, and social media malvertising through Fb and Instagram. The voice calls warn customers about an out-of-date banking app and ask them to pick a numerical choice, following which the phishing URL is shipped.
Customers who find yourself clicking on the hyperlink are displayed a lookalike web page that mimics the Google Play Retailer itemizing for the focused banking app, or a copycat web site for the applying, in the end resulting in the “installation” of the PWA or WebAPK app below the guise of an app replace.
“This crucial installation step bypasses traditional browser warnings of ‘installing unknown apps’: this is the default behavior of Chrome’s WebAPK technology, which is abused by the attackers,” Osmani defined. “Furthermore, installing a WebAPK does not produce any of the ‘installation from an untrusted source’ warnings.”
For many who are on Apple iOS gadgets, directions are offered so as to add the bogus PWA app to the Residence Display. The tip aim of the marketing campaign is to seize the banking credentials entered on the app and exfiltrate them to an attacker-controlled C2 server or a Telegram group chat.
ESET mentioned it recorded the primary phishing-via-PWA occasion in early November 2023, with subsequent waves detected in March and Could 2024.
The disclosure comes as cybersecurity researchers have uncovered a brand new variant of the Gigabud Android trojan that is unfold through phishing web sites mimicking the Google Play Retailer or websites impersonating varied banks or governmental entities.
“The malware has various capabilities such as the collection of data about the infected device, exfiltration of banking credentials, collection of screen recordings, etc.,” Broadcom-owned Symantec mentioned.
It additionally follows Silent Push’s discovery of 24 totally different management panels for quite a lot of Android banking trojans corresponding to ERMAC, BlackRock, Hook, Loot, and Pegasus (to not be confused with NSO Group’s spy ware of the identical title) which might be operated by a risk actor named DukeEugene.
