Hacking

Be careful what you pwish for – Phishing in PWA applications

In this blogpost we discuss an uncommon type of phishing campaign targeting mobile users and analyze a case that we observed in the wild that targeted clients of a prominent Czech bank. This technique is noteworthy because it installs a phishing application from a third-party website without the user having to allow third-party app installation. For iOS users, such an action might break any “walled garden” assumptions about security. On Android, this could result in the silent installation of a special kind of APK, which on further inspection even appears to be installed from the Google Play store.

The phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home-screens, while on Android the PWA is installed after confirming custom pop-ups in the browser. At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic. PWAs are essentially websites bundled into what feels like a standalone application, with this feeling being enhanced by the usage of native system prompts. PWAs, just like websites, are cross-platform, explaining how these PWA phishing campaigns can target both iOS and Android users.

This technique was first disclosed by CSIRT KNF in Poland in July 2023 and, in November 2023, observed in Czechia by ESET analysts working on the Brand Intelligence service. We also observed two cases of mobile campaigns against banks outside of Czechia: one case targeting the Hungarian OTP Bank and another targeting a Georgian bank.

Key points of the blogpost:

  • Standard phishing delivery techniques were combined with a novel method of phishing; targeting Android and iOS users via PWAs, and on Android also WebAPKs.
  • Insidiously, installing a PWA/WebAPK application does not warn the victim about installing a third-party application.
  • On Android, these phishing WebAPKs even appear to have been installed from the Google Play store.
  • Most of the observed applications targeted clients of Czech banks, but we also observed one phishing app that targeted a Hungarian bank and another targeting a Georgian bank.
  • Based on the C&C servers utilized and backend infrastructure, we conclude that two different threat actors were operating the campaigns.
  • Thanks to our discovery of operator panels on different domains, we were able to notify the victims’ banks in order to protect them.

Overview

ESET analysts discovered a series of phishing campaigns targeting mobile users that used three different URL delivery mechanisms (shown in Figure 1). These mechanisms include automated voice calls, SMS messages, and social media malvertising.

The voice call delivery is done via an automated call that warns the user about an out-of-date banking app and asks the user to select an option on the numerical keyboard. After pressing the correct button, a phishing URL is sent via SMS. This was reported in a tweet, by Michal Bláha.

Initial delivery by SMS was performed by sending messages indiscriminately to Czech phone numbers. The message sent included a phishing link and text to socially engineer victims into visiting the link.

Spreading via malicious ads was done by registering advertisements on Meta platforms like Instagram and Facebook. These ads included a call to action, like a limited offer for users who “download an update below”. This technique allows threat actors to specify the target audience by age, gender, etc. The advertisements would then appear in a victim’s social media feed.

After opening the URL delivered in the first stage, Android victims are presented with a high-quality phishing page imitating the official Google Play store page for the targeted banking application, or a copycat website for the application. These were two distinct campaigns. It is possible that the campaign utilizing Google Play visuals would modify itself based on the received User-Agent, to imitate Apple Store visuals. We did not observe this technique in analyzed cases.

Figure 1. PWA phishing flow

From here victims are asked to install a “new version” of the banking application; an example of this can be seen in Figure 2. Depending on the campaign, clicking on the install/update button launches the installation of a malicious application from the website, directly on the victim’s phone, either in the form of a WebAPK (for Android users only), or as a PWA for iOS and Android users (if the campaign is not WebAPK based). This crucial installation step bypasses traditional browser warnings of “installing unknown apps”: this is the default behavior of Chrome’s WebAPK technology, which is abused by the attackers.

Figure_2_Example_copycat_installation_page
Figure 2. Example copycat installation page

The process is a little different for iOS users, as an animated pop-up instructs victims how to add the phishing PWA to their home screen (see Figure 3). The pop-up copies the look of native iOS prompts. In the end, even iOS users are not warned about adding a potentially harmful app to their phone.

Figure_3_iOS_popup_instructions
Figure 3 iOS pop-up instructions after clicking “Install” (credit: Michal Bláha)

After installation, victims are prompted to submit their internet banking credentials to access their account via the new mobile banking app. All submitted information is sent to the attackers’ C&C servers.

Timeline

We discovered the first phishing-via-PWA case in early November 2023, and noticed the transition to WebAPKs in mid-November 2023. C&C servers that received information from phishing applications were first discovered in March 2024 (as can be seen in Figure 4), with data in them confirming that they were probably not operational earlier.

Figure_4_Timeline
Figure 4. Timeline of the PWA and WebAPK phishing campaign

The only exception is the cryptomaker[.]info server, which we discovered in May 2024, but included activity from a campaign against a Georgian bank in February 2024.

Technical analysis

In this section we focus on the analysis of a campaign against a prominent Czech bank, utilizing WebAPK technology. We also briefly explain the underlying technology of progressive web applications (PWAs) and WebAPKs.

PWA and WebAPK applications

PWAs

The phishing campaign and method discussed in this post is possible only thanks to the technology of progressive web applications (PWAs). In short, PWAs are applications built using traditional web application technologies that can run on multiple platforms and devices. These apps are then installed on the mobile phone of the user after a pop-up installation prompt is automatically displayed, or the user manually selects the Install app option from a supported browser’s menu. The crucial step here is installation, which allows for the seamless usage of apps in a separate window and gives them the ability to be launched from the menu bar or home screen. After installation, PWAs on the home screen are distinguished by the logo of the user’s browser being superimposed on the PWA’s icon (Figure 5).

Figure_5_Installed phishing PWA (left) and real banking app (right)
Figure 5. Installed phishing PWA (left) and real banking app (right)

PWAs also have the advantage of a single codebase across multiple platforms, which now may also use modern browser APIs and even native code, thanks to WebAssembly. Progressive web apps may also be used offline, thanks to service workers (see Figure 6). These workers act as a sort of proxy system, retrieving data from the local cache if no internet connection is available.

Figure_6_Simplified_how_pwas_work
Figure 6. Simplified diagram of how PWAs work

All the application behavior is defined in a single file called the manifest. This is a standardized file that defines the logo, name, web application scope, sources, and service worker script of the application, as well as the launcher type. Here the threat actor can define the app as standalone, which results in the PWA behaving like a regular mobile app.

PWAs may also be assigned as default handlers for certain file formats, but only as an experimental feature, which is not supported on mobile browsers. This could result in threat actors writing malicious applications that register as a default handler for, as an example, all .docx documents, and so a simple yet powerful espionage app could be created. However, even without that feature, access to browser APIs gives PWAs the right to request access to microphone, geolocation, camera, and all other supported browser functions, meaning that spyware PWAs could be on the radar.

WebAPKs

WebAPKs could be considered an upgraded version of progressive web apps, as the Chrome browser generates a native Android application from a PWA : in other words, an APK. These WebAPKs look like regular native apps, as their icons lack the browser logo (see Figure 7). In the PWA/WebAPK phishing scheme, this is used to trick users into believing that the installed phishing app is their legitimate banking application. The generation of WebAPKs is currently only supported by Google Chrome.

Figure_7_Comparison between an installed phishing WebAPK (left) and real banking app (right
Figure 7. Comparison between an installed phishing WebAPK (left) and real banking app (right)

Furthermore, installing a WebAPK does not produce any of the “installation from an untrusted source” warnings, such as the example seen in Figure 8, that users are commonly trained to look for. The app will even be installed if installation from third-party sources is not allowed.

Figure_8_Browser_warning
Figure 8. Browser warning users about installing from an untrusted source – not shown for WebAPKs

Phishing flow

As mentioned in our overview of the monitored campaigns, multiple types of delivery mechanisms were used. In the case of the phishing campaign against the prominent Czech bank, the whole flow started with a phishing link being spread by multiple malicious ads on Facebook (see Figure 9). These advertisements were registered in bulk, often five or six at a time, with each registration at a separate time. The threat actor used specially created Meta accounts and possibly compromised accounts.

The malicious ads included a mix of the bank’s official mascot (blue chameleon), as well as the bank’s logos and text that either promised a financial reward upon installing the app or warned users that a critical update had been rolled out.

Figure_9_Malvertising_captioned
Figure 9. Example of a malicious advertisement used in these campaigns

In the example case, a limited-time offer of a financial reward was used to entice victims into visiting the malicious link. After visiting the link, users were prompted with a convincing, albeit fake, Google Play page (Figure 10). This is the site from which the phishing WebAPK is downloaded.

 

Figure_10_Phishing_landing_page
Figure 10. Phishing landing page imitating Google Play

The site checks for the usage of a mobile client via the User-Agent HTTP header. If the victim is indeed on a mobile device, the “Install” button prompts the victim for installation via a pop-up. If the User-Agent header is for a desktop, the install button does nothing. The prompt also imitates Google Play animations, further enhancing the believability of this campaign (Figure 11).

Figure_11_Installation
Figure 11. Install prompt (left) and animated installation prompt on the phishing page (right)

The demonstrated campaign clearly targets Android users, thanks to the Google Play visual and animations. Other campaigns (that we observed and that were publicly reported) targeted users of both iOS (Figure 12) and Android systems. These sites utilized the visual of a well-known application on the landing page and prompted victims for the installation of a new version. Android users were led to install a WebAPK, and iOS users to PWAs.

Figure_12_iOS_installation_Michal_Blaha
Figure 12. Example of iOS installation (credit: Michal Bláha)

After installation, the phishing PWA/WebAPK is added to the user’s home screen, and opening it leads to a phishing login page, directly in the application (Figure 13).

Figure_13_WebAPK icon (left) and the in-app phishing login page (right)
Figure 13. WebAPK icon (left) and the in-app phishing login page (right)

On top of all the previously mentioned hurdles for a regular user, the application’s info tab also states that the app was downloaded from the Google Play store, which is the default behavior (Figure 14). This applies to all WebAPK apps.

Figure_14_webapk_infomenu
Figure 14. WebAPK info menu – notice the “App details in store” section at the bottom

The phishing application and phishing URL discussed in this post were reported to ČSOB. The phishing applications have never been available on the Google Play store.

C&C infrastructure

Based on the fact that the campaigns used two distinct C&C infrastructures, we have determined that two separate groups were operating the PWA/WebAPK phishing campaigns against Czech and other banks.

One group used a Telegram bot to log all entered information into a Telegram group chat via the official Telegram API, and another used a traditional C&C server with an administrative panel. The second group is responsible for the campaign covered in our blogpost on the NGate Android malware.

Telegram bots

All stolen login information was logged via a backend server, which then sent the user’s entered banking login data into a Telegram group chat. HTTP calls to send messages to the threat actor’s group chat were made via the official Telegram API. This is not a new technique and is used in various phishing kits.

After loading the phishing page of the PWA, a stack trace is displayed on top of the screen (see Figure 15). The stack trace includes information about the Telegram API and bot token used, and was visible even on the login screen.

Figure_15_telegram_info_leak
Figure 15. Login screen leaking Telegram information

Based on this, we identified that the threat actor logged all data into a Telegram group chat. We reported all sensitive information of compromised bank clients to the relevant banks.

C&C servers

During analysis of one of the installed PWAs, we noticed that entered victim data was sent to a different backend server. Upon inspection of the contacted C&C server, we uncovered an operator panel (Figure 16) that included sensitive information of victims, currently active phishing URLs, and a full history of visiting victims.

Figure_16_CC_administration_panel
Figure 16. C&C administrative panel

The threat actors did not stay put, and after the first C&C domain was deactivated (hide-me[.]online) they continued to establish more domains and even prepared a completely new malicious campaign, operated from the same panel. The second campaign is analyzed in our research on the NGate Android malware.

Thanks to the information recovered from the panel, we were able to contact the affected banks and protect the affected clients.

Conclusion

We identified a novel method of phishing, combining well-established methods of social engineering along with the cross-platform technology of PWA applications. Cases targeting Android users, specifically via a copycat page of the targeted app’s Google Play store page and using WebAPK technology, were also found.

Most of the known cases have been inside Czechia, with only two phishing applications appearing outside of this region (in Hungary and Georgia).

Because two drastically different C&C infrastructures were employed, we have determined that two different groups are responsible for the spread of the phishing apps.

We expect more copycat applications to be created and distributed, since after installation it is difficult to separate the legitimate apps from the phishing ones.

All sensitive information found during our research was promptly sent to the affected banks for processing. We also negotiated the takedowns of multiple phishing domains and C&C servers.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

SHA-1

Filename

Detection

Description

D3D5AE6B8AE9C7C1F869
0452760745E18640150D

base.apk

Android/Spy.Banker.CIC

Android mobile phishing app

66F97405A1538A74CEE4
209E59A1E22192BC6C08

base.apk

Android/Spy.Banker.CLW

Android mobile phishing app

Network

IP

Domain

Hosting provider

First seen

Details

46.175.145[.]67

hide-me[.]online

Cloudflare, Inc.

2024‑03‑05

C&C server.

185.181.165[.]124

cyrptomaker[.]info

NETH LLC

2024‑02‑21

C&C server.

172.67.182[.]151

blackrockapp[.]eu

Cloudflare, Inc.

2024‑04‑07

C&C server.

185.68.16[.]56

csas.georgecz[.]online

Hosting Ukraine LTD

2023-11-29

Distribution server.

188.114.96[.]9

play-protect[.]pro

Cloudflare, Inc.

2024-01-18

Distribution server.

MITRE ATT&CK techniques

This table was built using version 15 of the MITRE ATT&CK framework.

Tactic

ID

Name

Description

Initial Access

T1660

Phishing

Applications are first distributed by malicious advertising or mass phishing. After installation, the application itself is used for phishing.

Credential Access

T1417.002

Input Capture: GUI Input Capture

Credentials are harvested by impersonating the login pages of targeted banks.

Command and Control

T1437.001

Application Layer Protocol: Web Protocols

PWA/WebAPK phishing apps send login data via JavaScript interfaces, as well as tracking data.



Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button