PWA Phishing: New Threat to Mobile Banking in Eastern Europe

ESET specialists have uncovered a new phishing campaign targeting mobile banking users in the Czech Republic, Hungary, and Georgia. This campaign is distinguished by its use of PWA applications and WebAPK—technologies that enable attackers to circumvent traditional security mechanisms.

The essence of the attack lies in the use of fake websites that entice users to install a PWA. On iOS, victims are prompted to add a fake app to their home screen, while on Android, installation occurs after confirming prompts in the browser. Consequently, users install a phishing application that closely resembles a legitimate banking app.

A notable aspect of this tactic is that victims install the PWA or WebAPK without requiring approval to install apps from unknown sources, allowing attackers to bypass standard browser warnings about potential threats.

An analysis of C2 servers and infrastructure revealed that two distinct cybercriminal groups are behind the campaign. Phishing websites are disseminated through automated voice calls, SMS messages, and advertisements on Facebook and Instagram. The ads were targeted at specific user groups based on age and gender.

Users receive a call warning them about an outdated version of their banking app, and after selecting an option on the digital keypad, a phishing link is sent to them. Upon clicking the link, users are directed to a site that mimics the Google Play app page or the official bank’s website, ultimately leading to the installation of a fraudulent PWA or WebAPK under the guise of an app update.

It is important to note that installing a WebAPK does not trigger the standard warnings about downloading from an untrusted source, making it more difficult to detect the threat.

For iOS users, instructions were developed to add the fake app to their device’s home screen. After installation, victims are prompted to enter their online banking credentials to access their account through the new app. All the information provided is sent to C2 servers or a Telegram group managed by the attackers.

ESET recorded the first wave of phishing attacks using PWAs in November 2023, with subsequent waves in March and May 2024. The initial use of this technique was observed in July 2023.

During the investigation, ESET successfully informed the affected banks of the incidents promptly and managed to have several phishing domains and command-and-control servers removed. However, the likelihood of similar attacks remains high, as attackers continue to refine their methods and adapt to new conditions.