A recent phishing campaign targeting mobile users has been making waves, particularly in Czechia, with fraudsters using a unique method to trick victims into downloading malicious applications. The campaign is notable for its ability to install a phishing app without alerting users to the fact that they are installing a third-party application. On iOS devices, victims are instructed to add a Progressive Web Application (PWA) to their home screens, while on Android devices, the PWA is installed after users confirm custom pop-ups in their browsers.
The phishing apps created through this campaign closely mimic the appearance of legitimate banking apps, making it difficult for users to differentiate between the two. The use of PWAs allows the attackers to target both iOS and Android users, as these applications have cross-platform capabilities. This technique was first identified by CSIRT KNF in Poland in July 2023, and later observed in Czechia by ESET analysts in November 2023. Similar campaigns have been seen targeting clients of banks in Hungary and Georgia as well.
The phishing campaign utilizes three different delivery mechanisms: automated voice calls, SMS messages, and social media malvertising. In one example, victims receive an automated call warning them about an outdated banking app, followed by an SMS containing a phishing link. Social media ads with enticing offers or urgent update messages are also used to lure victims into clicking on the malicious links.
On Android devices, victims are presented with a convincing phishing page imitating the official Google Play store page for the targeted banking application. The installation process for the malicious app bypasses traditional browser warnings about installing unknown apps, thanks to the use of WebAPK technology. For iOS users, a fake installation prompt resembling native iOS prompts tricks victims into adding the phishing PWA to their home screens.
Once installed, victims are prompted to enter their internet banking credentials, which are then sent to the attackers’ Command and Control (C&C) servers. The phishing flow was discovered in early November 2023, and by March 2024, C&C servers receiving victim information had been identified. Two separate threat actor groups were found to be operating the campaigns, each using different C&C infrastructures.
The attackers used Telegram bots to log stolen login information in a group chat via the Telegram API, while a traditional C&C server with an administrative panel was utilized for a second group. The stolen information was promptly reported to the affected banks to mitigate potential risks to clients.
In conclusion, this sophisticated phishing campaign underscores the importance of vigilance when downloading applications, even from seemingly legitimate sources. Users are advised to exercise caution and verify the authenticity of banking apps before entering sensitive information. The collaboration between security researchers and financial institutions is crucial in identifying and mitigating such threats to protect users from falling victim to phishing attacks.