I love progressive web apps (PWAs). If you’re not familiar with the term, a PWA is basically a website wrapped in a small piece of software. It uses your browser to display the page, but acts as a separate app without requiring you to install it as such. PWAs are popular on both desktop and mobile devices, but their flexibility has made them a target for phishing attacks that try to access your financial data.
According to a new report from ESET Security (spotted by Bleeping Computer), social engineering hackers in Hungary and Georgia have been spotted impersonating banks and other financial institutions via progressive web applications, taking inspiration from scams previously observed in Czechia.
These apps are popular with cybercriminals because Chrome and other browsers can “install” an app on your phone that isn’t really an app, but a web shortcut that behaves like one on your home screen. This allows them to bypass critical anti-fake app defenses in the Google Play Store and iOS App Store, and install warnings on Android.
The premise is the same: you receive an email or text message from what appears to be your bank, you install a progressive web app on your phone, and use it to log into your account. But both the initial message and the PWA it asks you to install are well-crafted fakes, and your login information is now being harvested. The information is sent to a text chat monitored by the hackers, they log into your bank account, drain it, and the scam is complete.
A PWA for a fake banking app (left), virtually indistinguishable from a PWA for the real banking site (right).
A PWA for a fake banking app (left), virtually indistinguishable from a PWA for the real banking site (right).
ESET Security
A PWA for a fake banking app (left), virtually indistinguishable from a PWA for the real banking site (right).
ESET Security
ESET Security
ESET warns that it has observed attacks specifically targeting Android users and Chrome’s “WebAPK” PWA implementation, with animations that purport to mimic the Google Play Store installation flow. Combined with near-perfect imitations of banking apps, they give users false confidence in the validity of the app or service, lowering their defenses and tricking them into entering their personal information.
While the report only details attacks seen so far in Eastern Europe, scammers and hackers are known to quickly reuse successful attack methods anywhere in the world. And anyone can be affected, even, say, a 13-year veteran editor who nearly fell for a fake “your package could not be delivered” email earlier this year.
Be wary of messages from unverified users or addresses asking you to install PWAs or WebAPKs, and remember to always log in to your bank or other financial tools independently. Don’t provide usernames, passwords, or other information to anyone through a secondary system like email or SMS.
