Hackers steal banking creds from iOS, Android users via PWA apps

Hackers steal banking creds from iOS, Android users via PWA apps

Threat actors started to use progressive web applications to impersonate banking apps and steal credentials from Android and iOS users.

Progressive web apps (PWA) are cross-platform applications that can be installed directly from the browser and offer a native-like experience through features like push notifications, access to device hardware, and background data syncing.

Using this type of apps in phishing campaigns allows evading detection, bypass app installation restrictions, and gain access to risky permissions on the device without having to serve the user a standard prompt that could raise suspicion.

The technique was first observed in the wild in July 2023 in Poland, while a subsequent campaign that launched in November of the same year targeted Czech users.

Cybersecurity company ESET reports that it is currently tracking two distinct campaigns relying on this technique, one targeting the Hungarian financial institution OTP Bank and the other targeting TBC Bank in Georgia.

However, the two campaigns appear to be operated by different threat actors. One uses a distinct command and control (C2) infrastructure to receive stolen credentials, while the other group logs stolen data via Telegram.

Infection chain

ESET says that the campaigns rely on a broad range of methods to reach their target audience, including automated calls, SMS messages (smishing), and well-crafted malvertising on Facebook ad campaigns.

In the first two cases, the cybercriminals trick the user with a fake message about their banking app being outdated and the need to install the latest version for security reasons, providing a URL to download the phishing PWA.

PWA campaigns infection flow
PWA campaigns infection flow
Source: ESET

In the case of malicious advertisements on social media, the threat actors use the impersonated bank’s official mascot to induce a sense of legitimacy and promote limited-time offers like monetary rewards for installing a supposedly critical app update.

One of the malicious ads used in the phishing campaign
One of the malicious ads used in the phishing campaign
Source: ESET

Depending on the device (verified via the User-Agent HTTP header), clicking on the ad takes the victim to a bogus Google Play or App Store page.

Fake Google Play portal
Fake Google Play installation prompt (left) and progress (right)
Source: ESET

Clicking on the ‘Install’ button prompts the user to install a malicious PWA posing as a banking app. In some cases on Android, the malicious app is installed in the form of a WebAPK – a native APK generated by Chrome browser.

The phishing app uses the official banking app’s identifiers (e.g. logo legitimate-looking login screen) and even declares Google Play Store as the software source of the app.

The malicious WebAPK on the victim's homescreen and the phishing login page
The malicious WebAPK (left) and the phishing login page (right)
Source: ESET

The appeal of using PWAs on mobile

PWAs are designed to work across multiple platforms, so attackers can target a broader audience through a single phishing campaign and payload.

The key benefit, though, lies in bypassing Google’s and Apple’s installation restrictions for apps outside the official app stores, as well as “install from unknown sources” warning prompts that could alert victims to potential risks.

PWAs can closely mimic the look and feel of native apps, especially in the case of WebAPKs, where the browser logo on the icon and the browser interface within the app are hidden, so distinguishing it from legitimate applications is nearly impossible.

PWA (left) and legitimate app (right). WebAPKs are indistinguishable
PWA (left) and legitimate app (right). WebAPKs are indistinguishable as they lose the Chrome logo from the icon.
Source: ESET

These web apps can get access to various device systems through browser APIs, such as geolocation, camera, and microphone, without requesting them from the mobile OS’s permissions screen.

Ultimately, PWAs can be updated or modified by the attacker without user interaction, allowing the phishing campaign to be dynamically adjusted for greater success.

Abuse of PWAs for phishing is a dangerous emerging trend that could gain new proportions as more cybercriminals realize the potential and benefits.

A few months back, we reported about new phishing kits targeting Windows accounts using PWAs. The kits were created by security researcher mr.d0x specifically to demonstrate how these apps could be used to steal credentials by creating convincing corporate login forms.

BleepingComputer has contacted both Google and Apple to ask if they plan to implement any defenses against PWAs/WebAPKs, and we will update this post with their responses once we hear back.

Source link

Visited 1 times, 1 visit(s) today

Related Article

Nvidia’s trillion-dollar run puts pressure on the bulls

BEIJING, CHINA – MAY 14: Nvidia CEO Jensen Huang (C) gestures as he prepares to depart following a welcome ceremony at the Great Hall of the People on May 14, 2026 in Beijing, China. President Trump is meeting with President Xi Jinping in Beijing to address the Iran conflict, trade imbalances, and the Taiwan situation

Permutations in Europe: What’s still at stake in final weeks of season?

There’s still plenty to play for across Europe as we head into the final matches of the club season. Here are all the title races, Champions League fights, and relegation battles left to be decided in the top leagues this month. This story will be updated until the end of the campaign. 👉 Jump to:EPL

Brewing a Better Half-Gallon Batch

Today I finally ran an experiment I’ve wanted to try for a long time. If you’re a professional barista—or you run a busy café—this may save you some time. Most coffee shops use 1–1.5 gallon batch brewers (Bunn, Curtis, Fetco, etc.). When I opened Short Sleeves Coffee, I intentionally avoided brewing full 1-gallon batches. I

5 Frozen Breakfasts Chefs Say Keep You Full All Morning

Chef-approved frozen breakfasts with more protein and better ingredients. Eating a healthy breakfast every morning is a great way to start the day, but most people don’t have time to cook. Whether you’re rushing out the door in the morning for work, taking the kids to school or both, there’s usually not much time in

CA scales back plan to ban student use of cell phones

By Carolyn Jones, CalMatters This story was originally published by CalMatters. Sign up for their newsletters. Until last month, California was poised to join nearly a dozen other states that ban cell phones in K-12 schools. But under pressure from school boards and administrators, lawmakers scaled back a bill that would have required such a

BulkQuant Launches AI Trading Bot for Crypto, Forex, and Stock Markets

BulkQuant Launches AI Trading Bot for Crypto, Forex, and Stock Markets

London, United Kingdom, May 15, 2026 (GLOBE NEWSWIRE) — BulkQuant has officially launched its AI trading bot platform designed for crypto, forex, and stock market traders seeking a simpler way to automate trading strategies across multiple financial markets. The platform combines AI-powered quantitative analysis, automated trade execution, portfolio monitoring, and adaptive risk management into a

IMF lauds resilient Hong Kong economy but warns of risks linked to Middle East war

IMF lauds resilient Hong Kong economy but warns of risks linked to Middle East war

The International Monetary Fund (IMF) has lauded the resilience of Hong Kong’s economy, noting a sustained recovery despite economic activity having yet to return to pre-Covid levels, while warning of downside risks stemming from escalating geopolitical tensions. It also urged Hong Kong to pursue medium-term financial reforms, including the introduction of a goods and services

Smithsonian Presidents Exhibit Reopens With Low-Key Trump Impeachment Mention

For the past year, the Smithsonian Institution has found itself in the awkward position of telling the nation’s story while being supported in part by a government that wants to narrow how that story is told. In December, the White House threatened to revoke funding to the institution if it did not hand over a

Marvel’s Daredevil Follow-up Is Already Dominating on Streaming

A follow-up to Daredevil: Born Again Season 2 on Disney+ has become a massive streaming success within days of its launch. The Punisher: One Last Kill has quickly climbed to the top of multiple charts, beating out other titles on the platform. The MCU television special follows the gun-toting vigilante, who finds himself targeted by

Is Now a Bad Time to Invest?

The market has been on a roll lately, with the S&P 500 (SNPINDEX: ^GSPC) setting new highs throughout May. If you think you missed your opportunity when the market bottomed in late March, don’t fret. The market hitting new all-time highs is not particularly rare and should not change your investment strategy. And if you

6 bids for Hong Kong land sale signal renewed confidence despite market caution

6 bids for Hong Kong land sale signal renewed confidence despite market caution

The Hong Kong government’s first land sale in the current financial year has drawn six bids, according to the Development Bureau, including those from the city’s largest developers, suggesting a more confident outlook for the residential property market. At the close of tender for Tung Chung Town Lot No 54 at Area 106A on Friday

Each Premier League team reranked: Man City rise; Chelsea, Liverpool collapse

Ryan O’Hanlon Close Ryan O’Hanlon ESPN.com writer Ryan O’Hanlon is a staff writer for ESPN.com. He’s also the author of “Net Gains: Inside the Beautiful Game’s Analytics Revolution.”  and  Bill Connelly Close Bill Connelly ESPN Staff Writer Bill Connelly is a writer for ESPN. He covers college football, soccer and tennis. He has been at

Trump departs China after two-day summit

Trump departs China after two-day summit

IE 11 is not supported. For an optimal experience visit our site on another browser. Trump Wraps China Summit With Xi Jinping: What Are the Results? 05:41 Xi gives Trump rare tour of secret garden at heart of Chinese government 01:04 Now Playing Trump departs China after two-day summit 01:01 UP NEXT Special Report: Trump

Carol Chow was facing a bankruptcy petition by five people over unspecified debts at the time of her death. Photo: Dickson Lee

Embattled Hong Kong developer sued for HK$130 million, days after founder’s death

A Hong Kong property developer has been sued for HK$130 million (US$16.6 million) over allegedly breaching guarantor obligations in two bond subscription agreements, becoming the latest lawsuit to implicate the embattled company and following its founder’s sudden death earlier this week. Lofter Group, known for its urban renewal projects across the city’s core districts, and

Trump’s China visit left chip export issue unresolved

This report is from this week’s The Tech Download newsletter. Like what you see? You can subscribe here. One look at the roster of U.S. execs that cozied up to U.S. President Donald Trump on the 20+ hours flight from Alaska to China on Wednesday and you get a sense of the American delegation’s key focus

Why the Cerebras IPO matters for the AI race with China

Why the Cerebras IPO matters for the AI race with China

Cerebras, an AI chipmaker, saw its shares nearly double on Nasdaq, closing up 70% with a $95B market cap. Cerebras’s powerful chips are key in the US-China AI tech race. Chris Buskirk, co-founder and chief investment officer of 1789 Capital, a key Cerebras investor, says the company’s IPO is geopolitically significant. On Thursday, shares of

Fitbit Air vs Whoop Strap Comparison: Price, Features and AI

The Google Fitbit Air is very much the talk of the fitness tracking town right now, not only because it’s the first new Fitbit device that we’ve had in years, but it’s also one of the first big brands to go head-to-head with the established Whoop Strap (if you don’t count the Polar Loop and

0
Would love your thoughts, please comment.x
()
x