Headline: Hackers Exploit WebAPK to Trick Android Users into Installing Malicious Apps
Text content: Threat actors have found a way to exploit Android’s WebAPK technology, deceiving unsuspecting users into installing malicious web apps on their Android phones. These apps are specifically designed to capture sensitive personal information, putting users at risk.
The attack typically begins with victims receiving SMS messages that urge them to update their mobile banking applications. The link provided in these messages leads to a website that utilizes WebAPK technology to install a malicious app on the victim’s device. In a recent analysis by CSIRT KNF, researchers highlighted a campaign impersonating PKO Bank Polski, a well-known multinational banking and financial services company based in Warsaw. Polish cybersecurity firm RIFFSEC first shared details of this campaign.
WebAPK allows users to install progressive web apps (PWAs) directly to their Android device’s home screen, bypassing the need to use the Google Play Store. When a user installs a PWA using Google Chrome and WebAPK, the app is silently installed on the device. This process, facilitated by trusted providers such as Play Services or Samsung, ensures that security measures remain intact.
Once the malicious app is installed, it masquerades as a banking app (“org.chromium.webapk.a798467883c056fed_v2”) and prompts users to enter their credentials and two-factor authentication (2FA) tokens. By doing so, the attackers steal the users’ sensitive information.
One of the challenges in combating these attacks is the dynamic generation of different package names and checksums by WebAPK applications on each device. This makes it difficult to utilize this data as Indicators of Compromise (IoC), as highlighted by CSIRT KNF.
To mitigate such threats, it is recommended to block websites that exploit the WebAPK mechanism to carry out phishing attacks.
In a related development, cybersecurity firm Resecurity has uncovered an increasing trend of cybercriminals leveraging specialized device spoofing tools for Android, available on the dark web. These tools enable attackers to impersonate compromised account holders and bypass anti-fraud controls. The spoofing tools, including Enclave Service and MacFly, manipulate mobile device fingerprints and other software and network parameters analyzed by anti-fraud systems. Weak fraud controls are also exploited to conduct unauthorized transactions using banking malware such as TimpDoor and Clientor.
Resecurity emphasizes that cybercriminals utilize these tools to access compromised accounts and impersonate legitimate customers. They exploit stolen cookie files, impersonate hyper-granular device identifiers, and exploit the unique network settings of fraud victims.
The evolving tactics employed by hackers and their use of sophisticated techniques reinforce the need for increased user awareness and robust security measures to protect against these malicious activities.
