HQ/EMEAFind out how we can help your business
A newly discovered sophisticated phishing tactic leveraging progressive web apps (PWA) targets mobile users of Android and iOS-based devices. Based on reports, this new operation is for a financial fraud campaign targeting European countries, including Hungary, the Czech Republic, and Georgia.
Researchers explained that this phishing tactic uses PWA, which provides a native-app-like experience and is gaining traction among cybercriminals as they can target Android and iOS devices.
This tactic has separated itself from other commonly observed attacks because it installs a phishing program from a third-party website without requiring the user to approve the third-party app installation.
PWA phishing is a significant potential threat for iOS and Android users worldwide.
This new phishing strategy is only possible due to how PWA works, which eliminates the need for the user to enable third-party installation on their mobile.
On iOS, phishing websites impersonate popular apps on landing pages and instruct victims to install a PWA on their home screens.
In addition, the threat described the target PWA as a standalone in a single file called the manifest, which specifies how the PWA would function before they create these landing pages. Hence, the PWA behaves similarly to a traditional mobile app.
On the other hand, the attackers deploy the PWA on Android devices once the user confirms custom pop-ups in the browser. This method results in the concealed installation of a web Android Package Kit.
WebAPKs are a type of APK (standard Android application file) that can be classified as an enhanced version of PWA because the Chrome browser converts a PWA into a native Android app. Researchers explain that WebAPKs are installed as part of the discovered phishing attempts that appeared to be installed directly from the Play Store.
This newly observed phishing strategy is becoming quite a serious threat to the countries it targets. Therefore, smartphone users, regardless of whether they use Android or iOS-based products, should know these threats to avoid falling victim to such attacks. Also, other countries that these phishing tactics have not targeted should be ready, as threat actors are quick to adopt such strategies for personal gain.
