I love progressive web apps (PWAs). If you’re not familiar with the term, a PWA basically is a website with a small software package around it. It uses your browser to display the page, but behaves as a separate application without requiring you to install it. PWAs are popular on both desktop and mobile, but their flexibility has made them a target for phishing attacks trying to gain access to your financial data.
According to a new report from ESET Security (spotted by Bleeping Computer), social engineering hackers have been spotted in Hungary and Georgia posing as banks and other financial institutions via progressive web apps, following on from scams previously seen in the Czech Republic.
These are attractive to criminals because Chrome and other browsers can “install” an app on your phone that isn’t actually an app, but a web shortcut that acts like a shortcut on your home screen. This allows them to bypass critical defenses against fake apps in the Google Play Store and iOS App Store and install alerts on Android.
The hook is familiar: you get an email or a text message from what appears to be your bank, you install a progressive web app on your phone, and you use it to log into your account. But both the initial message and the PWA asking you to install are well-designed spoofs, and your credentials are now being collected. The information is sent to a text chat that is controlled by the hackers, the hackers log into your bank account, tap it and the scam is completed.
ESET security
ESET warns that attacks have been observed specifically targeting Android users and Chrome’s “WebAPK” PWA implementation, with animations intended to mimic the Google Play Store installation process. Combined with near-perfect imitations of banking apps, it gives users false confidence in the validity of the app or service, lowering their defenses and tricking them into entering their personal information.
While the report only details attacks observed in Eastern Europe to date, scammers and hackers are known to be quickly re-implementing successful attack methods around the world. And it can affect anyone – even, say, a 13-year technology veteran who was just a hair’s breadth away from receiving a bogus email earlier this year saying his package couldn’t be delivered.
Be wary of messages from unverified users or addresses asking you to install PWAs or WebAPKs, and always remember to log in to your bank or other financial tools independently. Do not provide usernames, passwords or other information to anyone through a secondary system such as email or text message.