ESET has published its threat report for the second half of 2024, outlining a new social engineering tactic targeting mobile banking users.
Threat actors are using Progressive Web Apps (PWAs) and WebAPKs to bypass mobile security measures, since these files don’t require users to grant permissions to install apps from unknown sources.
“The initial phishing messages were delivered through various methods, including SMS, automated voice calls, and social media malvertising,” ESET says.
“Victims received messages or calls suggesting the need to update their mobile banking applications or informing them of potential tax refunds. These messages, sent to presumably random numbers, contained links directing victims to phishing websites mimicking legitimate banking sites. Malvertising on Facebook and Instagram promoted a fake banking app, falsely claiming that the official app was being decommissioned.”
The apps are designed to trick users into entering their banking credentials, and they can also intercept multi-factor authentication codes.
“Once installed, the malicious apps ESET researchers analyzed behave like standard mobile banking malware and present fake banking login interfaces, prompting victims to enter their credentials,” the researchers write. “The stolen credentials, including login details, passwords, and two-factor authentication codes, are then transmitted to the attackers’ command and control servers, so that the attackers can gain unauthorized access to victims’ accounts.”
The researchers expect to see an increase in this phishing technique over the coming year, so users should be wary of installing apps linked in unsolicited messages.
“Unlike traditional apps, these malicious PWAs and WebAPKs are essentially phishing websites packaged to look like legitimate applications,” ESET says.
“This means that they do not exhibit the typical behaviors or characteristics associated with malware. Their ability to bypass traditional security warnings of a mobile operating system, and total sidestepping of app store vetting processes is particularly concerning. Therefore, it is anticipated that more sophisticated and varied phishing campaigns utilizing PWAs and WebAPKs will emerge, unless mobile platforms change their approach towards them.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
ESET has the story.
How BreachSim works:
