A New Phishing Technique Evades Security Measures on Apple and Android Devices to Steal Banking Credentials

Advisory ID: NCC-CSIRT-110924-008

Summary: 

Researchers from anti-malware vendor ESET have identified a sophisticated phishing technique targeting iOS and Android users. The tactic involves using web applications that imitate legitimate banking software, enabling cybercriminals to bypass security measures and steal users' login credentials.

These fraudulent web apps closely replicate the interfaces of well-known financial institutions, making it difficult for users to detect the deception. Once victims enter their credentials, the information is transmitted to attackers, granting them unauthorized access to sensitive banking accounts.

Threat Type(s): Phishing, and Malvertising

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Apple and Android based Mobile Devices

Platform(s): iOS and Android OS

Version(s): All Versions

Description: 

According to the researchers, attackers leveraged Progressive Web Applications (PWAs) on Apple devices—websites packaged to resemble standalone apps. These PWAs, built using web technologies, are platform-agnostic and do not require users to enable third-party app installations. On Android devices, the attackers utilized WebAPKs, a technology that allows web apps to be installed as native applications, appearing as if they were downloaded from Google Play.

In the observed attacks, iOS users were instructed to add the PWA to their home screens, while Android users were prompted to approve custom pop-ups before installing the WebAPK. WebAPKs, considered enhanced versions of PWAs, mimic native apps and do not trigger warnings on Android devices, even when installation from third-party sources is disabled. Moreover, the apps’ information pages falsely indicated that they were downloaded from Google Play.

When users opened the phishing link, they were redirected to a webpage mimicking the official Google Play or Apple Store, or the targeted bank’s website. They were then prompted to install an updated version of the banking app, which led to the installation of the malicious software without triggering any security alerts. Once installed, the PWA or WebAPK placed an icon on the home screen, and opening it led directly to a phishing login page designed to steal users' credentials.

Solution: 

•  Users should avoid installing apps that are not available on official platforms like the Play Store or Apple App Store.
• Always verify any messages received via SMS, email, or social media before taking action.
• If prompted to update an app via text message, visit the official website or app store to confirm the update before proceeding.
• Be cautious when dealing with Progressive Web Applications (PWAs) and avoid installing them from untrusted or suspicious websites.
• Utilize a reliable security solution that can detect and block websites using PWAs and WebAPKs for phishing attacks.
• Multi-factor authentication and user education on phishing threats are essential to enhance security.

References:

• https://www.bleepingcomputer.com/news/security/hackers-steal-banking-creds-from-ios-android-users-via-pwa-apps/ 

• https://www.securityweek.com/new-phishing-technique-bypasses-security-on-ios-and-android-to-steal-bank-credentials/ 

• https://www.show.it/en/new-phishing-technique-bypasses-security-on-ios-and-android-to-steal-bank-credentials/ 

• https://news.ycombinator.com/item?id=41312984 

• https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/