Mobile users in the Czech Republic are being targeted by a new phishing campaign that uses a Progressive Web Application (PWA) to steal banking credentials.
The attacks have focused on Československá obchodní banka (CSOB) in the Czech Republic, Hungary’s OTP Bank, and Georgian Bank, according to Slovak cybersecurity firm ESET.
Security researcher Jakub Osmani explained that the phishing websites targeting iOS users prompt victims to add a PWA to their home screens, while Android users are tricked into installing the PWA after confirming custom browser pop-ups. On both platforms, these phishing apps closely mimic legitimate banking apps, making them difficult to distinguish from the real ones.
What makes this tactic unique is that users are deceived into installing a PWA or, in some cases on Android, WebAPKs, from third-party sites without having to enable sideloading explicitly.
An analysis of the command-and-control (C2) servers and backend infrastructure has revealed that two different threat actors are responsible for these campaigns. The phishing websites are distributed through automated voice calls, SMS messages, and malicious ads on social media platforms like Facebook and Instagram. The voice calls warn users about outdated banking apps and prompt them to select a numerical option, after which a phishing URL is sent.
When users click on the link, they are shown a fake page that mimics the Google Play Store listing for the targeted banking app or a copycat site. This leads to the “installation” of the PWA or WebAPK under the guise of an app update.
Osmani highlighted that this installation process bypasses traditional browser warnings for “installing unknown apps,” exploiting the default behavior of Chrome’s WebAPK technology. Installing a WebAPK also doesn’t trigger any warnings about “installation from an untrusted source.”
For Apple iOS users, instructions are given to add the fake PWA to the Home Screen. The campaign’s ultimate goal is to capture the banking credentials entered in the app and exfiltrate them to an attacker-controlled C2 server or a Telegram group chat.
ESET reported the first instance of phishing via PWA in early November 2023, with further waves detected in March and May 2024. The earliest known use of this technique dates back to July 2023.
This disclosure coincides with the discovery of a new variant of the Gigabud Android trojan by cybersecurity researchers. The malware is distributed through phishing websites impersonating the Google Play Store, banks, or government entities and has capabilities including data collection, banking credential theft, and screen recording.
Additionally, Silent Push recently uncovered 24 different control panels for various Android banking trojans like ERMAC, BlackRock, Hook, Loot, and Pegasus (not to be confused with NSO Group’s spyware of the same name), operated by a threat actor named DukeEugene.
 to steal banking credentials....){kind=link}