Mobile users in the Czech Republic have become the targets of a new phishing campaign designed to steal their banking account credentials through the use of a Progressive Web Application (PWA).
The attacks specifically target customers of Československá obchodní banka (CSOB) in the Czech Republic, OTP Bank in Hungary, and TBC Bank in Georgia, according to Slovak cybersecurity firm ESET.
Jakub Osmani, a security researcher, explained that the phishing websites targeting iOS users instruct them to add a PWA to their home screens. For Android users, the PWA is installed after they confirm custom pop-ups in their browsers.
“At this stage, on both operating systems, these phishing apps are almost indistinguishable from the legitimate banking apps they imitate,” Osmani said.
What makes this tactic particularly concerning is that users are tricked into installing a PWA—or even WebAPKs in some cases on Android—directly from a third-party site, without the need for them to explicitly enable side loading.
Further analysis of the command-and-control (C2) servers and backend infrastructure used in these campaigns reveals that they are being orchestrated by two different threat actors.
The phishing websites are distributed through a combination of automated voice calls, SMS messages, and malvertising on social media platforms such as Facebook and Instagram. The voice calls alert users that their banking app is out-of-date and prompt them to select a numerical option, after which they receive a phishing URL.
When users click on the link, they are taken to a webpage that mimics the Google Play Store listing for the targeted banking app, or a copycat site for the application, leading to the “installation” of the PWA or WebAPK under the pretense of an app update.
“This crucial installation step bypasses traditional browser warnings about ‘installing unknown apps’ because it is the default behavior of Chrome’s WebAPK technology, which is being exploited by the attackers,” Osmani explained. “Additionally, installing a WebAPK does not trigger any ‘installation from an untrusted source’ warnings.”
For Apple iOS users, the phishing websites provide instructions on how to add the fake PWA app to their Home Screen. The ultimate aim of this campaign is to capture the banking credentials entered into the app and exfiltrate them to an attacker-controlled C2 server or even a Telegram group chat.
ESET noted that the first instance of phishing via PWA was recorded in early November 2023, with additional waves detected in March and May 2024. The earliest use of this technique was observed in July 2023.
This revelation coincides with the discovery of a new variant of the Gigabud Android trojan, which is also spread through phishing websites mimicking the Google Play Store or sites impersonating banks and governmental entities.
“The malware has a range of capabilities, including collecting data about the infected device, exfiltrating banking credentials, and capturing screen recordings,” said Symantec, a company owned by Broadcom.
The findings also follow Silent Push’s identification of 24 different control panels for various Android banking trojans, such as ERMAC, BlackRock, Hook, Loot, and Pegasus (not to be confused with NSO Group’s spyware), all operated by a threat actor known as DukeEugene.