Security researchers have uncovered a new phishing technique that employs progressive web applications (PWAs) to target bank customers in Eastern Europe.
PWAs function as websites that mimic applications, allowing them to be installed without notifying users that they are third-party apps. Researchers at ESET report that scammers are focusing on iOS and Android users with PWAs disguised as banking applications.
The attackers utilize automated voice calls, SMS messages, and social media advertising to instruct iOS users to add a PWA to their home screens. Meanwhile, Android users install the PWA by confirming custom pop-up messages in their browsers.
“At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic,” ESET noted on its blog.
ESET has found that most of the phishing apps identified target clients of Czech banks, with some also aimed at Hungarian and Georgian banks. The researchers suggest that there are likely two distinct groups behind these applications, warning, “We expect more copycat applications to be created and distributed, since after installation it is difficult to separate the legitimate apps from the phishing ones.”