HQ/EMEAFind out how we can help your business
A new phishing campaign has emerged, targeting mobile users in the Czech Republic with the aim of stealing their banking credentials. This sophisticated attack leverages Progressive Web Applications (PWAs) to trick users into downloading fraudulent banking apps, posing a serious threat to customers of Československá obchodní banka (CSOB) in the Czech Republic, OTP Bank in Hungary, and TBC Bank in Georgia.
The campaign targets both iOS and Android platforms, employing different methods for each. iOS users are directed to add a seemingly legitimate PWA to their home screens, while Android users are prompted to install a PWA or WebAPK after interacting with misleading pop-ups. These counterfeit apps closely resemble genuine banking apps, making it difficult for users to recognise between the real and fake versions.
The way this attack gets around established security measures is quite concerning. Normally, users would need to allow side loading in order to install software from third-party sites, but the attackers have discovered a way around this restriction. Via the use of WebAPK technology in Chrome, malicious programs can be loaded without bringing up the standard alerts about “installing unknown apps.”
Phishing links targeting mobile users are distributed via social media, SMS, and automated voice calls, leading to fake banking app installations.
Phishing links are spread using a variety of platforms, such as Facebook, Instagram, SMS messaging, and automated voice calls. The audio calls are particularly convincing; they tell the users that their banking app is out of date and ask them to choose a number. This activity attempts to send a phishing URL. Upon clicking this link, visitors are redirected to a webpage that appears to be a spoof of the official banking app or a Google Play Store imitation. Installing the PWA or WebAPK is the end outcome.
This campaign’s main goal is to obtain users’ banking credentials using the fake app and transfer them to an attacker-controlled Telegram group chat or command-and-control (C2) server. These fraudulent applications are quite effective because of their realistic design, which leads users to believe them without understanding they are being deceived.
Researchers claim that other waves of attacks were discovered in March and May 2024, with the first known occurrence of this phishing technique utilising PWAs occurring in early November 2023. This campaign, which targets a diverse spectrum of users across many channels, demonstrates a high degree of sophistication and adaptability.
Alongside this PWA-based attack, cybersecurity specialists have discovered a new version of the Gigabud Android trojan, which spreads through phishing websites that imitate the Google Play Store, different banks, and government agencies. The malware can gather private data from compromised devices, such as login passwords for banks and screenshots, underscoring the growing threats facing mobile users.
This current round of attacks highlights how important it is for consumers to protect their financial and personal information in an increasingly digital environment by being alert and taking preventative action.
