New phishing method designed specifically for Android and iPhone users

ESET's Research Centre has identified an unusual phishing campaign targeting mobile phone users and analysed an incident of phishing that targeted customers of a well-known Czech bank. This method needs attention because it installs the phishing application from a third-party website without the user giving permission to install third-party applications. On Android, this can lead to the 'silent' installation of a special APK file, which even appears as if it has been installed from Google Play. The campaign also targeted iPhone (iOS) users.

Phishing websites targeting iOS software invite victims to add a Progressive Web App (PWA) to their home screen, while on Android, the PWA is installed after confirming pop-up windows in the browser. At this point, on both operating systems, the phishing apps closely resemble the real banking apps they mimic. PWAs are essentially web pages that resemble standalone applications, with this feeling enhanced by the use of system commands. PWAs are cross-platform, which explains how these campaigns target both iOS and Android users. The new technique was observed in the Czech Republic by ESET researchers working on the ESET Brand Intelligence Service, which monitors threats against a customer's brands.

"For iPhone users, such an action could undermine the sense of protected environment provided by the ecosystem," says ESET researcher, Jakub Osmani, who analysed the threat.

The phishing campaign uncovered by ESET researchers used three different mechanisms to distribute URLs. These mechanisms include automated voice calls, SMS messages and malicious social media advertising. In one case, the distribution of the URL is done through an automated call that alerts the user to a banking application that needs updating and asks the user to press a button on the keyboard. After the correct button is pressed, a phishing URL is sent via SMS. The SMS distribution was carried out by sending messages indiscriminately to phone numbers in the Czech Republic. The message sent contained a phishing URL and text to deceive the victims. The malicious campaign was also spread through advertisements on Meta platforms such as Instagram and Facebook. These ads included some limited offer for users who would "download the following update".

After opening the URL provided in the first step, Android users are directed either to a phishing page that mimics the official Google Play store page for the banking app in question, or to a fake website for that app. From here, victims are asked to install a "new version" of the banking app.

The campaign and phishing method is only possible because of the technology of Progressive Web Apps (PWA). In short, these are applications that have been created using traditional web application technologies and can run on multiple platforms and devices. WebAPKs could be considered an upgraded version of Progressive Web Apps (PWAs), as the Chrome browser produces an Android app from a PWA: in other words, an APK. These WebAPKs look like regular apps. Furthermore, installing a WebAPK does not trigger any of the "install from an untrusted source" warnings. The application will be installed even if installation from third-party sources is not allowed.

One team used a Telegram bot to capture all imported information in a Telegram group chat via the app's official API, while another team used a traditional Command & Control (C&C) server with a management panel. "Based on the fact that the campaigns used two different C&C infrastructures, we found that two separate groups were managing the PWA/WebAPK phishing campaigns against Czech Republic and other banks," Osmani concludes. Most of the known cases occurred in the Czech Republic, while only two phishing applications occurred outside the country (namely in Hungary and Georgia).

All sensitive information identified by ESET's investigation into this matter was immediately sent to the affected banks for processing. ESET also assisted in shutting down multiple online phishing addresses and C&C servers.