Hackers Steal Banking Credentials from iOS and Android Users via PWA Apps

August 22, 2024
Ashlyn Fernandes
3 Min Read
Add Comment
August 22, 2024
Hackers Steal Banking Credentials from iOS and Android Users via PWA Apps
Discover how hackers steal banking credentials from iOS and Android users via sophisticated PWA apps and learn protective measures to secure your data

In recent months, an alarming trend has emerged where cybercriminals exploit Progressive Web Applications (PWAs) and WebAPKs to launch sophisticated phishing attacks aimed at stealing banking credentials from unsuspecting iOS and Android users. These attacks cleverly bypass traditional security measures, making them particularly dangerous and effective.

Understanding the Attack Mechanism

PWAs are essentially websites designed to function like native applications, offering functionalities such as offline usage, push notifications, and device hardware access. WebAPKs are an advanced form of PWAs that Android devices treat as native applications, allowing them to be installed directly from the browser without triggering the usual security warnings associated with third-party installations.

The attackers utilize these technologies to create counterfeit versions of legitimate banking apps. They distribute these malicious apps through various means, including automated voice calls, SMS messages, and targeted malvertising on social platforms like Facebook and Instagram. The ads often use familiar logos and mascots to appear credible, tricking users into downloading and installing these malicious applications​.

Phishing Campaigns in Action

The process typically starts with a notification to the user about an outdated banking app that needs updating. Once the user follows the provided link, they are taken to a page that mimics the Google Play or Apple App Store interface, further lowering their guard. After installation, the PWA or WebAPK requests banking login details on a page that looks convincingly like the legitimate banking login screen. Any credentials entered here are sent directly to the attackers’ command-and-control servers​.

Geographical Reach and Development

Originally detected in Poland in mid-2023, these phishing operations quickly spread to other regions, including the Czech Republic, Hungary, and Georgia, indicating the scalability and adaptability of this attack method. Cybersecurity firms have tracked multiple campaigns, suggesting the involvement of several organized groups, each using distinct infrastructure to capture and store stolen data​.

How to Protect Yourself

To safeguard against these attacks, it is crucial to remain vigilant when installing new applications, especially those that handle sensitive information like banking credentials. Always verify the authenticity of the app and download updates directly from the official app stores. Furthermore, keep your mobile devices and browsers updated to defend against known vulnerabilities and exploits​.

The abuse of PWAs and WebAPKs to phish for banking credentials represents a significant escalation in the cyber threat landscape. Both users and institutions must be aware of these techniques and take proactive measures to protect against them. As this threat evolves, staying informed and cautious is the best defense against these sophisticated cyber-attacks.

FacebookXWhatsAppReddit

About the author

View All Posts
Ashlyn

Ashlyn Fernandes

Ashlyn is a dedicated tech aficionado with a lifelong passion for smartphones and computers. With several years of experience in reviewing gadgets, he brings a keen eye for detail and a love for technology to his work. Ashlyn also enjoys shooting videos, blending his tech knowledge with creative expression. At PC-Tablet.com, he is responsible for keeping readers informed about the latest developments in the tech industry, regularly contributing reviews, tips, and listicles. Ashlyn's commitment to continuous learning and his enthusiasm for writing about tech make him an invaluable member of the team.

Add Comment

Click here to post a comment

Web Stories

5 Best Projectors in 2024: Top Long Throw and Laser Projectors for Every Budget
5 Best Projectors in 2024: Top Long Throw and Laser Projectors for Every Budget
5 Best Laptop of 2024
5 Best Laptop of 2024
5 Best Gaming Phones in Sept 2024: Motorola Edge Plus, iPhone 15 Pro Max & More!
5 Best Gaming Phones in Sept 2024: Motorola Edge Plus, iPhone 15 Pro Max & More!
6 Best Football Games of all time: from Pro Evolution Soccer to Football Manager
6 Best Football Games of all time: from Pro Evolution Soccer to Football Manager
5 Best Lightweight Laptops for High School and College Students
5 Best Lightweight Laptops for High School and College Students
5 Best Bluetooth Speaker in 2024
5 Best Bluetooth Speaker in 2024
6 Best Android Phones Under $100 in 2024
6 Best Android Phones Under $100 in 2024
6 Best Wireless Earbuds for 2024: Find Your Perfect Pair for Crystal-Clear Audio
6 Best Wireless Earbuds for 2024: Find Your Perfect Pair for Crystal-Clear Audio
Best Macbook Air Deals on 13 & 15-inch Models Start from $149
Best Macbook Air Deals on 13 & 15-inch Models Start from $149
View all stories
5 Best Projectors in 2024: Top Long Throw and Laser Projectors for Every Budget 5 Best Laptop of 2024 5 Best Gaming Phones in Sept 2024: Motorola Edge Plus, iPhone 15 Pro Max & More! 6 Best Football Games of all time: from Pro Evolution Soccer to Football Manager 5 Best Lightweight Laptops for High School and College Students 5 Best Bluetooth Speaker in 2024 6 Best Android Phones Under $100 in 2024 6 Best Wireless Earbuds for 2024: Find Your Perfect Pair for Crystal-Clear Audio Best Macbook Air Deals on 13 & 15-inch Models Start from $149