HQ/EMEAFind out how we can help your business
Threat actors use Android’s WebAPK technology to deceive unknowing users into installing malicious web applications to harvest sensitive personal information on Android phones.
Based on reports, this new campaign starts with victims receiving SMS messages that prompt them to update a mobile banking application. Next, the attached link in the SMS redirects the user to a site that uses WebAPK technology to install a malicious app on the targeted device.
Moreover, the application impersonates the PKO Bank Polski, a Warsaw multinational banking and financial services firm.
WebAPK is an Android technology that enables users to install web apps on their devices.
Researchers explained that the hackers exploited the WebAPK since it could allow users to install progressive web apps to their home screen on Android devices without utilising the Google Play Store.
Google then explained that once a user installs a PWA from Google Chrome and if it uses the WebAPK, the minting server mints the packages and signs an APK for the PWA.
Additionally, the signing process takes time, but when the APK is ready, the browser will install the app discreetly on the user’s device. The phone installs it without deactivating security since it comes from trusted providers such as Play Services and Samsung. Hence, the campaign does not need sideloading techniques to install the app.
Subsequently, the hackers’ fake banking app will prompt the users to enter their credentials and two-factor authentication (2FA) once installed. This stage will eventually lead to information theft.
Experts explained that one of the struggles in countering such campaigns is that the WebAPK applications develop different package names and checksums on each device. Furthermore, these tools are essentially generated by the Google engine, which makes using this data as Indicators of Compromise (IoC) challenging.
Therefore, organisations should never forget to block websites utilising the WebAPK tool to carry out phishing attacks to counter such infection attempts. These new details about such a campaign are from recent research about the surge of threat actors that leverage specialised device spoofing tools for Android that are available on underground markets and the dark web.
