Mobile Phishing Attacks Use New Tactic to Bypass Security Measures

Stu Sjouwerman | Dec 20, 2024

Mobile is a Security ProblemESET has published its threat report for the second half of 2024, outlining a new social engineering tactic targeting mobile banking users.

Threat actors are using Progressive Web Apps (PWAs) and WebAPKs to bypass mobile security measures, since these files don’t require users to grant permissions to install apps from unknown sources.

“The initial phishing messages were delivered through various methods, including SMS, automated voice calls, and social media malvertising,” ESET says.

“Victims received messages or calls suggesting the need to update their mobile banking applications or informing them of potential tax refunds. These messages, sent to presumably random numbers, contained links directing victims to phishing websites mimicking legitimate banking sites. Malvertising on Facebook and Instagram promoted a fake banking app, falsely claiming that the official app was being decommissioned.”

The apps are designed to trick users into entering their banking credentials, and they can also intercept multi-factor authentication codes.

“Once installed, the malicious apps ESET researchers analyzed behave like standard mobile banking malware and present fake banking login interfaces, prompting victims to enter their credentials,” the researchers write. “The stolen credentials, including login details, passwords, and two-factor authentication codes, are then transmitted to the attackers’ command and control servers, so that the attackers can gain unauthorized access to victims’ accounts.”

The researchers expect to see an increase in this phishing technique over the coming year, so users should be wary of installing apps linked in unsolicited messages.

“Unlike traditional apps, these malicious PWAs and WebAPKs are essentially phishing websites packaged to look like legitimate applications,” ESET says.

“This means that they do not exhibit the typical behaviors or characteristics associated with malware. Their ability to bypass traditional security warnings of a mobile operating system, and total sidestepping of app store vetting processes is particularly concerning. Therefore, it is anticipated that more sophisticated and varied phishing campaigns utilizing PWAs and WebAPKs will emerge, unless mobile platforms change their approach towards them.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

ESET has the story.

Uncover Technical Blind Spots and Exfiltration Risks with Free BreachSim

Data exfiltration is a critical target for cybercriminals, yet most organizations fail to detect breaches internally. Run our 100% harmless BreachSim tool on Windows 10+ workstations to safely simulate over 12 realistic data exfiltration scenarios following the MITRE ATT&CK framework, pinpoint your infrastructure’s weaknesses, and get actionable results in minutes.

Launch Your Free Breach Simulation

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.