Fraudsters have learned to bypass Android and iOS security using web applications

The creators of phishing scams have found a way to bypass mechanisms aimed at applications that are designed to steal personal information. These measures do not work against Progressive Web Apps (PWA), whose privileges are lower and capabilities are more modest.

Image source: Gerd Altmann / pixabay.com

On iOS, you can only install applications from the App Store, and on Android, by default, you can only install applications from Google Play—if you try to use another source, the system displays a warning. Discovered over the past nine months, phishing campaigns aim to trick victims into installing a malicious application that masquerades as an official banking client. Once installed, it steals account data and sends it to the attacker in real time via Telegram, ESET experts warn.

When attacking iOS users, a traditional PWA is used – a website developed by attackers is opened not through a browser, but with an imitation of a full-fledged application; Android users are in some cases tricked into installing a special sub-version of it – WebAPK. The attack begins when a potential victim receives a text message, robocall, or clicks on a malicious ad link on Facebook✴ or Instagram✴. Once they open the link, they are taken to a page that mimics the App Store or Google Play.

In the case of iOS, installing a PWA is slightly different from installing a standard application – the user is shown a pop-up window with installation instructions, simulating a system message from the platform. If an Android user installed WebAPK via Google Play, then his vigilance is lulled by the fact that the description states that the application does not have system privileges. In any case, after installation, the user is prompted to enter his credentials to access the online bank, and all entered information is sent to a server controlled by the scammers.

The new scheme is currently being used primarily in the Czech Republic, but incidents have already been noted in Hungary and Georgia. Cybersecurity experts assume that the number of such incidents will increase and their geography will expand.