New Banking Credential Theft Scheme Aims at Czech Mobile Users
There is a unique phishing effort directed at mobile users in the Czech Republic with the aim of stealing their banking credentials, utilizing a Progressive Web Application (PWA).
Reports indicate that the scams have focused on the Československá obchodní banka (CSOB) in the Czech Republic, along with the OTP Bank in Hungary and the TBC Bank in Georgia. This information comes from ESET, a cybersecurity firm based in Slovakia.
“According to a security researcher named Jakub Osmani,” the phishing websites that target iOS users prompt them to incorporate a Progressive Web Application (PWA) to their home screens. On the other hand, Android users are required to confirm custom pop-ups in their browsers to install the PWA,” said Osmani.
“At this moment, these phishing applications are virtually indistinguishable from the genuine banking applications they are imitating, on both iOS and Android platforms.”
What is intriguing about this strategy is that users are misled into adding a PWA, or WebAPKs in certain cases on Android devices, from an external source without the need to explicitly approve side loading.
An examination of the command-and-control (C2) servers and the backend infrastructure points towards the involvement of two separate threat actors in these schemes.
These malicious websites are disseminated through automated voice calls, SMS messages, and social media malvertising through platforms like Facebook and Instagram. Users are alerted via voice calls about an obsolete banking app and are instructed to choose a numeric option. After this, they are sent the phishing URL.
Individuals who click on the link are presented with a fake page that replicates the Google Play Store listing of the targeted banking application or a counterfeit site for the app. This ultimately results in the “installation” of the PWA or WebAPK application, masquerading as an app update.
“The critical installation phase bypasses the standard browser alerts related to ‘installing unknown apps.’ This is due to the default behavior of Chrome’s WebAPK mechanism, which is exploited by the attackers,” Osmani clarified. “Moreover, installing a WebAPK doesn’t trigger any alerts related to ‘installation from an untrusted source’.”
For Apple iOS users, instructions are given on how to incorporate the fake PWA app onto the Home Screen. The primary objective of this operation is to capture the banking credentials entered into the application and transmit them to a C2 server under the control of the attackers or a Telegram group chat.
Records from ESET show that the first instance of phishing via PWA was observed in early November 2023, with subsequent occurrences detected in March and May 2024.
This discovery coincides with the identification of a new iteration of the Gigabud Android trojan, which is being distributed through phishing websites that mimic the Google Play Store or websites impersonating various banks or government bodies.
“The malware possesses a range of capabilities such as extracting data related to the infected device, stealing banking credentials, capturing screen recordings, etc.,” as per Symantec, which is owned by Broadcom and commented on the matter.
This development follows Silent Push’s discovery of 24 distinct control panels for various Android banking trojans like ERMAC, BlackRock, Hook, Loot, and Pegasus (distinct from NSO Group’s surveillance software of the same name), all managed by a threat actor known as DukeEugene.
About Author
