I freakin’ love progressive web apps (PWAs). If you’re not familiar with the term, a PWA is basically a website with a little software wrapper around it. It uses your browser to render the page, but acts like a separate application without the need to install like one. PWAs are popular on both desktop and mobile, but their flexibility has made them a target for phishing attacks trying to get access to your financial data.
According to a new report from ESET Security (spotted by Bleeping Computer), social engineering hackers in Hungary and Georgia have been spotted impersonating banks and other financial institutions via progressive web apps, iterating on scams previously seen in Czechia.
These are appealing to criminals because Chrome and other browsers can “install” an app on your phone that’s not really an app, it’s a web shortcut that behaves like one on your home screen. That lets them bypass critical defenses against fake apps in the Google Play Store and iOS App Store and install warnings on Android.
The hook is a familiar one: You get an email or a text message from what looks like your bank, you install a progressive web app on your phone, and you use it to log into your account. But both the initial message and the PWA it asks you to install are well-designed fakes, and your login info is now harvested. The info gets sent to a text chat monitored by the hackers, the hackers logs into your bank account, drain it, and the scam is complete.
ESET Security
ESET warns that it’s observed attacks specifically targeting Android users and Chrome’s “WebAPK” PWA implementation, with animations meant to mimic the Google Play Store’s installation flow. Combined with near-perfect impersonations of banking apps, it gives users false confidence in the validity of the app or service, lowering their defenses and enticing them to input their personal info.
While the report only details attacks seen in Eastern Europe so far, scammers and hackers are known to rapidly re-implement successful methods of attack across the world. And anybody can be affected — even, say, a 13-year veteran technology writer who was a hair’s breadth away from falling for a fake “your package could not be delivered” email earlier this year.
Be on your guard for any messages from unverified users or addresses prompting you to install PWAs or WebAPKs, and remember to always independently log into your bank or other financial tools. Don’t offer up usernames, passwords, or other info to anyone via a secondary system like email or texting.