Fraud Alert: App Installations from Web
As researchers and techies continue to innovate, the increased use of progressive web apps (PWAs) and WebAPKs (Android package kits generated by the Chrome browser) are turning into powerful tools that bridge the gap between web and mobile applications, offering significant advantages for both users and developers. Essentially, PWA and WebAPK users can access web-based services from their mobile phone screen via an icon resembling a native app. No wonder cybercriminals are more than eager to exploit PWAs and WebAPKs to target users. 
 
Researchers at ESET analysed campaigns utilising these novel attack vectors targeting mobile devices, with significant potential for further exploitation by cybercriminals. According to the security services provider, a critical aspect of this technique is that neither PWAs nor WebAPKs require users to grant explicit permissions to install apps from unknown sources or allow the browser to install unknown apps. 
 
"As a result, device owners may end up installing apps from untrusted sources without realising it. Once installed, the malicious apps behave like standard mobile banking malware and present fake banking login interfaces, prompting victims to enter their credentials. The stolen credentials, including login details, passwords, and two-factor authentication codes, are then transmitted to the attackers' command and control servers so that the attackers can gain unauthorised access to victims' accounts," it added.
 
Earlier this year, researchers at ESET uncovered campaigns targeting clients of major banks in Czechia, as well as one bank in Hungary and another in Georgia. In one campaign in Czechia, ESET says attackers used the stolen data to withdraw funds from ATMs using near field communication (NFC) data relayed from a compromised phone to an attacker's rooted mobile device. "This is the first time that we have seen Android malware with this NFC data relay capability being used in the wild."
 
The initial phishing messages were delivered through various methods, including SMS, automated voice calls, and social media malvertising, ESET says, adding victims received messages or calls suggesting the need to update their mobile banking applications or informing them of potential tax refunds. These messages, sent to presumably random numbers, contained links directing victims to phishing websites mimicking legitimate banking sites. Malvertising on Facebook and Instagram promoted a fake banking app, falsely claiming that the official app was being decommissioned.
 
"Once on the phishing site, Android users were prompted to install a WebAPK, while iOS users were instructed to add the PWA to their home screen, mimicking native system prompts. In both cases, the installed application looks and behaves like a legitimate banking app, complete with official logos and design elements. This process bypasses the usual warnings associated with installations from untrusted sources, making the phishing attempt much more convincing," the security services provider says.
 
PWAs are designed to combine the best features of web and mobile apps, such as responsiveness, offline capabilities, and push notifications. PWAs are cross-platform and can be installed directly from the browser, bypassing app stores and the vetting they perform.
 
WebAPKs (web application packages) take PWAs a step further. They package a PWA into an APK (Android package kit), enabling it to function as a native Android app. WebAPKs allow PWAs to seamlessly integrate into the Android ecosystem, complete with app icons, notifications, and access to certain device features. 
 
While these technologies are transformative and highly beneficial, they also allow cybercriminals to exploit them for nefarious purposes. 
 
The most dangerous part is the installation process does not require explicit permissions for third-party apps, and the apps themselves do not display the usual indicators of being untrusted. It makes it challenging for users to recognise these apps as malicious. Additionally, the seamless integration of these apps into the device's operating system enhances their apparent legitimacy, making it difficult to distinguish between genuine and malicious applications.
 
How Cybercriminals Exploit PWAs and WebAPKs
 
Spoofed Apps: Cybercriminals can create malicious PWAs or WebAPKs designed to mimic legitimate applications. By copying the branding, design, and functionality of trusted apps, they can trick users into installing these fake applications.
 
Malware Delivery via WebAPKs: Since WebAPKs bypass traditional app stores, they avoid the scrutiny of official app review processes. Fraudsters can use this loophole to distribute malware or spyware disguised as helpful tools or entertainment apps.
 
Push Notification Abuse: PWAs and WebAPKs can send push notifications. Cybercriminals can easily abuse this feature to deliver phishing messages, malicious links, or fraudulent offers to lure users into revealing personal data or installing harmful software.
 
Domain Spoofing: Cybercriminals can deploy PWAs on domains that closely resemble those of trusted brands. For example, a fake banking PWA hosted on a domain like sbibankindia.com can deceive users into entering their credentials, leading to compromising their banking accounts.
 
Man-in-the-middle Attacks: If a PWA or WebAPK is hosted on a domain without robust HTTPS implementation, attackers can intercept communications between the user and the application, stealing sensitive data or injecting malicious scripts.
 
According to ESET, the ability of PWAs and WebAPKs to bypass traditional security warnings of a mobile operating system and total sidestepping of app store vetting processes is particularly concerning. "Therefore, it is anticipated that more sophisticated and varied phishing campaigns utilising PWAs and WebAPKs will emerge unless mobile platforms change their approach towards them."
 
This brings us to the most crucial question: How can a common user be safeguarded from malicious PWAs and WebAPKs? 
 
Here are a few suggestions...
 
Awareness and Education: Be cautious when installing PWAs or WebAPKs from unknown sources. Stick to trusted and verified websites. Also, familiarise yourself with the legitimate or authentic web URLs and branding of apps that you use frequently to identify potential spoofing attempts.
 
Use HTTPS Everywhere: Ensure that any PWA you interact with uses HTTPS. A secure connection is indicated by a padlock icon in the browser's address bar. Avoid entering sensitive information on PWAs hosted on HTTP-only domains. 
 
Use in-built Security Features of Browsers: Modern browsers like Chrome and Firefox include features to detect and block malicious websites and PWAs. Enable these protections. Also, use ad blockers or anti-phishing extensions to filter out malicious ads and pop-ups that might lead to fake PWAs.
 
Verify before Installation: Cross-check the source of a PWA or WebAPK before installation. If in doubt, reach out to the company or developer to confirm authenticity. Use app stores when possible, as they offer an additional layer of security.
 
Monitor Permissions: Be wary of PWAs or WebAPKs requesting unnecessary permissions, such as access to contacts, messages, or locations. Over-permissioned apps could indicate malicious intent.
 
Regular Updates: Keep your devices, operating systems (OS), apps and browsers updated to benefit from the latest security patches. 
 
Use robust antivirus and anti-malware solutions to detect and block malicious applications, including PWAs and WebAPKs.
 
According to Lukáš Štefanko, senior malware researcher at ESET, the cross-platform nature of PWAs also allows attackers to target a broader audience, making these types of attacks more scalable and versatile. "Thankfully, existing tools and advice—such as installing apps only from official app stores and using a reputable security app—also apply to staying safe from this novel threat."
 
As PWAs and WebAPKs continue to gain popularity, they will inevitably remain attractive targets for cybercriminals. However, with concerted efforts from users, developers, and security professionals, the risks can be mitigated. By adopting a proactive approach to cybersecurity and staying vigilant, users can enjoy the benefits of PWAs and WebAPKs without falling victim to exploitation.
 
Stay Alert, Stay Safe!
Comments
When Warnings Fail: Need To Tackle Cybercrime through Gamification
Sucheta Dalal, 27 December 2024
If there is one area where the government and its regulators cannot be faulted, it is their tireless effort to warn citizens about cybercrime and fraud. All regulators, banks, stock exchanges, depositories, financial intermediaries...
Fraud Alert: How To Handle Deepfakes
Yogesh Sapkale, 06 December 2024
The X handle of Aam Aadmi Party (AAP) recently shared a video purportedly showing Bollywood actor Pankaj Tripathi in an advertisement urging people not to vote for the Bharatiya Janata Party (BJP). However, this video turned out to be...
Fraud Alert: Fake Browsers and Mobile Cleaning Apps
Yogesh Sapkale, 29 November 2024
Vrunda, a friend, often thought her mobile phone had become relatively slow. When she asked around on social media, someone suggested that she download a mobile cleaning app to remove unnecessary and junk files from the device. She...
Fraud Alert: 614% Jump in Scam-yourself Attacks
Yogesh Sapkale, 22 November 2024
Imagine someone handing you a gun and asking you to shoot your own foot for a handsome reward. Will you do it? Most unlikely. However, this is exactly what is happening in cyberspace. One of the most alarming trends is the rise of...
ArrayArray
Free Helpline
Legal Credit
Feedback