ESET announces the discovery of a new phishing technique targeting iPhone and Android users. The new technique allows cybercriminals to install a malicious program from a website without the user’s permission to install a third-party application.
Phishing websites targeting iOS encourage victims to add a progressive web application or PWA (a hybrid of a regular web page and a mobile app) to their home screens. While the Android malware is installed after confirming special pop-ups in the browser. At the moment, on both operating systems, these phishing programs are virtually indistinguishable from the genuine banking applications they masquerade as.
ESET researchers have identified a series of phishing attacks on users using three different mechanisms to distribute links to malicious sites, including automated voice calls, SMS messages, and malicious social media ads. The first method involves an automated call that warns the user about an outdated banking program and asks them to select an option on the numeric keypad. After pressing a certain button, a phishing URL is sent via SMS. The sent SMS message included a phishing link and text urging victims to click on the link. While malicious ads were distributed on Instagram and Facebook. These ads contained a call to action, such as an offer for victims to download an update.
When Android users clicked on the link, they were taken to either a phishing page disguised as the official Google Play store page for a particular banking application or a copycat site for that application. From there, victims were asked to install a “new version” of the Internet banking application.
This method of distribution was made possible by progressive web application technology. PWAs are applications created using traditional web technologies that can run on multiple platforms and devices. WebAPKs are an updated version of progressive web apps, as the Chrome browser generates an Android app from a PWA. These WebAPKs look like regular apps, and their installation does not trigger any warnings about “installing from an untrusted source”. The application will even be installed if installation from third-party sources is prohibited.
Most of the known cases occurred in the Czech Republic, with only two phishing programs appearing in Hungary and Georgia. ESET sent relevant information to the banks whose fake websites were created, and also helped with the removal of several phishing domains and command servers.
Due to the danger of the threat spreading to other countries, ESET experts recommend not clicking on suspicious links in advertisements and SMS messages, downloading only verified applications and updates from official stores, monitoring program permissions, and using reliable solutions to protect your mobile devices from the most advanced Internet threats.


