Mobile users in the Czech Republic are being targeted by a new phishing campaign that uses a Progressive Web Application (PWA) to steal banking credentials. The attacks have specifically targeted customers of Československá obchodní banka (CSOB) in the Czech Republic, OTP Bank in Hungary, and TBC Bank in Georgia, according to cybersecurity firm.
The phishing scheme involves tricking iOS users into adding a PWA to their home screens, while Android users are prompted to install the PWA through custom pop-ups in the browser. Once installed, these fake apps closely mimic legitimate banking apps, making them difficult to distinguish from the real ones.
What makes this attack particularly concerning is that users are deceived into installing these PWAs or WebAPKs from third-party sites without the usual warnings or permissions for side-loading apps. This is possible due to the exploitation of Chrome’s WebAPK technology, which bypasses traditional browser warnings about installing unknown apps.
An analysis of the command-and-control (C2) servers and backend infrastructure used in the attacks indicates that two different threat actors are behind these campaigns. The phishing websites are distributed through automated voice calls, SMS messages, and malvertising on social media platforms like Facebook and Instagram.
Users are tricked into thinking they need to update their banking app, leading them to click on a malicious link that ultimately results in the installation of the fraudulent app.
The goal of the campaign is to capture banking credentials entered into these fake apps and send them to a C2 server or a Telegram group controlled by the attackers. This phishing tactic using PWAs in November 2023, with additional waves of attacks occurring in March and May 2024.
This disclosure coincides with the discovery of a new variant of the Gigabud Android trojan, which is being spread via phishing websites that mimic the Google Play Store and other sites impersonating banks or government entities. This malware is capable of collecting device data, exfiltrating banking credentials, and recording screens, among other malicious activities.
Additionally, researcher has recently uncovered 24 different control panels for various Android banking trojans, such as ERMAC, BlackRock, Hook, Loot, and Pegasus, operated by a threat actor known as DukeEugene.
To protect against phishing campaigns that use Progressive Web Applications (PWAs) to steal banking credentials, users should avoid installing apps or updates from sources outside official app stores. Always verify the legitimacy of links before clicking, especially those received via SMS, email, or social media. Regularly monitor your account activity and report any suspicious transactions to your bank immediately.