Threat actors started to use progressive web applications to impersonate banking apps and steal credentials from Android and iOS users.

Progressive web apps (PWA) are cross-platform applications that can be installed directly from the browser and offer a native-like experience through features like push notifications, access to device hardware, and background data syncing.

Using this type of apps in phishing campaigns allows evading detection, bypass app installation restrictions, and gain access to risky permissions on the device without having to serve the user a standard prompt that could raise suspicion.

The technique was first observed in the wild in July 2023 in Poland, while a subsequent campaign that launched in November of the same year targeted Czech users.

Cybersecurity company ESET reports that it is currently tracking two distinct campaigns relying on this technique, one targeting the Hungarian financial institution OTP Bank and the other targeting TBC Bank in Georgia.

However, the two campaigns appear to be operated by different threat actors. One uses a distinct command and control (C2) infrastructure to receive stolen credentials, while the other group logs stolen data via Telegram.

Infection chain

ESET says that the campaigns rely on a broad range of methods to reach their target audience, including automated calls, SMS messages (smishing), and well-crafted malvertising on Facebook ad campaigns.

In the first two cases, the cybercriminals trick the user with a fake message about their banking app being outdated and the need to install the latest version for security reasons, providing a URL to download the phishing PWA.

In the case of malicious advertisements on social media, the threat actors use the impersonated bank’s official mascot to induce a sense of legitimacy and promote limited-time offers like monetary rewards for installing a supposedly critical app update.

Depending on the device (verified via the User-Agent HTTP header), clicking on the ad takes the victim to a bogus Google Play or App Store page.

Clicking on the ‘Install’ button prompts the user to install a malicious PWA posing as a banking app. In some cases on Android, the malicious app is installed in the form of a WebAPK – a native APK generated by Chrome browser.

The phishing app uses the official banking app’s identifiers (e.g. logo legitimate-looking login screen) and even declares Google Play Store as the software source of the app.

The appeal of using PWAs on mobile

PWAs are designed to work across multiple platforms, so attackers can target a broader audience through a single phishing campaign and payload.

The key benefit, though, lies in bypassing Google’s and Apple’s installation restrictions for apps outside the official app stores, as well as “install from unknown sources” warning prompts that could alert victims to potential risks.

PWAs can closely mimic the look and feel of native apps, especially in the case of WebAPKs, where the browser logo on the icon and the browser interface within the app are hidden, so distinguishing it from legitimate applications is nearly impossible.

These web apps can get access to various device systems through browser APIs, such as geolocation, camera, and microphone, without requesting them from the mobile OS’s permissions screen.

Ultimately, PWAs can be updated or modified by the attacker without user interaction, allowing the phishing campaign to be dynamically adjusted for greater success.

Abuse of PWAs for phishing is a dangerous emerging trend that could gain new proportions as more cybercriminals realize the potential and benefits.

A few months back, we reported about new phishing kits targeting Windows accounts using PWAs. The kits were created by security researcher mr.d0x specifically to demonstrate how these apps could be used to steal credentials by creating convincing corporate login forms.

BleepingComputer has contacted both Google and Apple to ask if they plan to implement any defenses against PWAs/WebAPKs, and we will update this post with their responses once we hear back.