Phishing attacks have evolved exponentially, with threat actors rigorously leveraging advanced technologies like Progressive Web Applications (PWAs) and WebAPKs. These tools allow attackers to bypass traditional security warnings, making phishing campaigns more effective. This write-up provides an in-depth technical analysis of how PWAs and WebAPKs are being used in phishing attacks, examines the underlying mechanisms, and discusses the broader implications for mobile and user security.
1. Technical Overview of PWAs and WebAPKs
What are PWAs and WebAPKs?
Progressive Web Applications (PWAs) are web-based applications that offer a native app-like experience. They are built using standard web technologies like HTML, CSS, and JavaScript but leverage modern APIs to provide enhanced functionalities such as offline access, push notifications, and installation on a device's home screen. WebAPKs, on the other hand, are a packaging format used by the Chrome browser to allow PWAs to appear as native apps on Android devices. This conversion grants PWAs direct access to the Android app ecosystem, making them indistinguishable from other apps to most users.
Exploitation of Browser APIs and Security Mechanisms
Attackers exploit browser APIs, such as the Service Worker API, to bypass traditional security warnings. The Service Worker API acts as a proxy between the web browser and the network, enabling background processes such as caching and push notifications. By manipulating these APIs, attackers can create malicious PWAs that look legitimate but perform nefarious activities, such as stealing credentials or installing malware.
2. In-Depth Analysis of Phishing Mechanisms Using PWAs and WebAPKs
Phishing Tactics and Psychological Manipulation
Phishing campaigns leveraging PWAs and WebAPKs employ various tactics, including malvertising, smishing (SMS phishing), and automated voice calls (vishing). Each tactic involves different psychological manipulation strategies to trick users into divulging sensitive information or downloading malicious applications.
- Malvertising: Threat actors use online advertisements to distribute malicious PWAs. These ads often lead to seemingly benign websites that prompt users to install a PWA, which appears as a native app but is designed to steal data.
- Smishing and Vishing: Attackers send text messages or make automated calls with urgent or alarming content, prompting the recipient to take immediate action. This tactic often directs users to phishing websites disguised as legitimate pages, where they are tricked into installing a WebAPK.
Case Study: In a recent campaign, attackers used fake COVID-19 alert notifications to direct users to a phishing site that mimicked a government health website. The site prompted users to install a PWA, which then requested permissions to access sensitive device information under the guise of tracking virus exposure.
To rigorously bridge the content gap in the revised technical write-up, I'll enhance each section with a detailed and meticulous analysis, providing more context, technical insights, and explanations to make the write-up richer and more comprehensive. Here's the revised version with detailed additions:
Cross-Platform Phishing Tactics
The phishing websites designed for iOS users employ social engineering tactics to instruct victims to add a Progressive Web Application (PWA) to their home screens. For Android users, the PWA installation process is initiated after they confirm a series of custom pop-up prompts in their browsers. These prompts are carefully crafted to mimic legitimate system notifications, thereby increasing the likelihood of user compliance.
Once installed, these fraudulent apps are virtually indistinguishable from legitimate banking apps on both platforms, creating a false sense of security. PWAs are essentially web applications that are enhanced to function like standalone native applications, leveraging modern browser capabilities to offer a seamless user experience. The cross-platform nature of PWAs enables the phishing campaign to effectively target both iOS and Android users, broadening its potential impact.
This novel phishing method was first disclosed by CSIRT KNF in Poland in July 2023. In November 2023, ESET analysts, through their Brand Intelligence service, detected this technique in Czechia.
Further investigations revealed that similar campaigns were targeting the Hungarian OTP Bank and the Georgian TBC Bank, indicating a broader geographical scope and a targeted attack strategy that leverages localized phishing techniques.
Key Insights from the Analysis
- Innovative Phishing Tactics: The campaign cleverly blends traditional phishing delivery methods with advanced techniques, such as the deployment of PWAs and WebAPKs. These methods do not trigger alerts about installing third-party applications, effectively bypassing one of the primary defenses users rely on to avoid malicious apps.
- Deceptive App Installation: On Android devices, these malicious WebAPKs can appear to originate from the Google Play Store, thereby circumventing standard security warnings that would typically inform users about the risks associated with installing apps from unknown sources.
- Targeted Regional Attacks: While the campaign predominantly focused on Czech banks, evidence suggests that similar tactics were employed against financial institutions in Hungary and Georgia, showcasing the adaptability and geographical reach of the attackers.
- Multiple Threat Actors: The diversity in campaign infrastructure and the distinct nature of the Command & Control (C&C) servers suggest the involvement of at least two distinct threat actors, potentially collaborating or operating independently within a shared ecosystem of malicious tools and resources.
- Proactive Defensive Measures: The discovery of operational panels on various domains provided a rare opportunity for cybersecurity teams to notify the affected banks in a timely manner, mitigating the impact of the attacks and preventing further exploitation.
Campaign Delivery Mechanisms
ESET researchers identified a sophisticated multi-pronged delivery strategy for these phishing campaigns, employing three distinct URL delivery mechanisms: automated voice calls, SMS messages, and social media malvertising.
- Automated Voice Calls: Victims receive an automated call informing them that their banking app is outdated and needs immediate updating. The call prompts them to press a specific number on their keypad, after which a phishing URL is sent via SMS. This tactic exploits the urgency of the message and the authority of the automated voice to lower the victim's guard.
- SMS Phishing (Smishing): SMS messages containing phishing links were indiscriminately sent to a wide range of Czech phone numbers. These messages typically contained urgent language, warning users about unauthorized transactions or account suspensions to prompt quick action. This approach leverages the immediate nature of SMS communications to prompt quick user responses.
- Social Media Malvertising: Ads were strategically placed on Meta platforms, such as Instagram and Facebook, featuring compelling calls to action (e.g., "download an update below"). These ads were tailored using user demographic data, such as age, location, and interests, increasing their effectiveness by making the ad appear relevant and urgent to the targeted user base.
Upon clicking the provided URLs, Android users were redirected to a high-quality phishing page meticulously crafted to mimic the official Google Play Store or a nearly identical clone of the targeted bank's website. This page dynamically adapts its appearance based on the user’s device, using responsive design principles to switch to an Apple Store-like interface if accessed from an iOS device, thus maintaining the illusion of legitimacy across platforms.
Phishing Workflow and Techniques
Upon visiting the phishing website, victims are deceptively prompted to install a "new version" of their banking app. The specific approach varies depending on the platform:
- For Android Users: The phishing site initiates the download of a WebAPK. A WebAPK is a Web Application Package that functions similarly to a traditional APK but is generated by the Chrome browser from a PWA. This critical step bypasses the standard browser warnings about installing unknown apps due to Chrome’s WebAPK technology, which the attackers exploit by deploying it directly from a malicious server.
- For iOS Users: The phishing flow involves a convincingly animated pop-up that mimics native iOS prompts, instructing the user on how to add the malicious PWA to their home screen. This method effectively sidesteps the usual warnings about adding potentially harmful applications by using familiar-looking prompts and animations that exploit users' trust in their device’s native interfaces.
Once installed, these malicious apps prompt users to enter their banking credentials into a fake login screen that is visually identical to the legitimate app's interface. All entered data is immediately captured and transmitted to the attackers' C&C servers for exploitation.
Technical Analysis and Timeline of Observed Campaigns
ESET’s timeline of the campaign provides a chronological insight into the attack's evolution:
- Early November 2023: Initial detection of phishing campaigns using PWAs, focusing on exploiting the inherent cross-platform nature of these web-based applications.
- Mid-November 2023: Shift towards WebAPK-based attacks on Android devices, exploiting Chrome’s native-like app behavior to bypass security warnings.
- March 2024: Discovery of Command & Control servers used to collect sensitive data from the phishing applications, indicating a coordinated and organized effort.
- May 2024: Detection of the cryptomaker[.]info server, which was involved in an attack against Georgian TBC Bank in February 2024, further highlighting the cross-border nature of these attacks and the attackers' adaptability.
Detailed Breakdown of PWA and WebAPK Phishing Methods
Progressive Web Applications (PWAs)
The phishing strategy relies heavily on the use of PWAs, which are designed to operate like native applications across multiple platforms. PWAs are built using standard web technologies (HTML, CSS, JavaScript) but include advanced features like offline capabilities, push notifications, and the ability to be installed on a user's device directly from the browser. When a user is tricked into installing a PWA, a pop-up prompt appears, offering an installation option. Once installed, the PWA can operate like a native app, launching from the device’s home screen and running in a dedicated window without a visible browser frame, which enhances the illusion of legitimacy.
Key features of PWAs that make them attractive for phishing campaigns include:
- Unified Codebase: PWAs are platform-agnostic, meaning the same codebase can run on multiple operating systems, reducing the effort needed to target different devices.
- Browser APIs and WebAssembly: PWAs can leverage modern browser APIs, including WebAssembly, to execute near-native code within the browser environment, increasing their capability to perform sophisticated functions that go beyond traditional web apps.
- Service Workers: These background scripts enable PWAs to function offline by caching data and assets, making them operational even without an internet connection, thereby mimicking native app functionality more closely.
By carefully configuring the PWA’s manifest file, attackers can dictate how the app should appear and behave on the victim's device, including setting the app's name, icon, and startup URL. This level of control allows attackers to create a highly convincing imitation of legitimate banking apps.
WebAPKs
WebAPKs represent a more advanced version of the PWA concept specifically designed for Android devices. A WebAPK is a special type of Android application generated by the Chrome browser from a PWA. Unlike PWAs, WebAPKs are indistinguishable from native apps because they lack any browser-related UI elements, such as a browser logo overlay on the app icon. This makes them particularly effective for phishing, as they appear as legitimate apps in the user's app drawer.
Crucially, WebAPK installations do not trigger any security warnings about "installing from an untrusted source," even if the user has not enabled third-party installations. This behavior is a result of how Chrome handles PWA-to-WebAPK conversions, effectively exploiting a gap in Android’s security model that attackers have cleverly utilized to bypass user defenses and deploy malware surreptitiously.
Operational Insights and Infrastructure Analysis
Our deep dive into the campaign infrastructure uncovered two distinct C&C infrastructures, suggesting collaboration or parallel operations by multiple threat groups:
- Primary Infrastructure: Involved in the initial phishing domain setup and early-stage credential harvesting. This infrastructure was characterized by a series of rapidly changing IP addresses, dynamic DNS services, and robust domain-fronting techniques to obscure the true location of the servers.
- Secondary Infrastructure: Identified through the analysis of network traffic and WHOIS data, this secondary infrastructure appears to serve as a backend for exfiltrating collected credentials and other sensitive data. It also employed multiple layers of obfuscation and encryption, including TLS certificate pinning and DNS-over-HTTPS (DoH), to avoid detection by traditional network security tools.
Technical Mechanisms Behind Phishing Attacks
Phishing campaigns utilizing PWAs and WebAPKs rely on several technical mechanisms to evade detection and enhance effectiveness:
- Bypassing Security Warnings: Unlike traditional mobile apps, PWAs do not require approval from app stores, allowing them to bypass many security checks. Attackers exploit this loophole to distribute malicious PWAs.
- Exploiting C2 Infrastructure: Command-and-control (C2) servers are used to manage phishing campaigns, distributing instructions to compromised devices and exfiltrating stolen data. WebAPKs can be updated remotely from a C2 server without user knowledge, increasing the persistence and adaptability of attacks.
3. Timeline and Campaign Analysis
Development of Phishing Campaigns Using PWAs and WebAPKs
A detailed timeline of the evolution of these phishing campaigns highlights the adaptability of threat actors:
- Phase 1: Initial deployment of basic PWAs for data collection.
- Phase 2: Introduction of WebAPKs to increase attack surface and bypass more robust security measures.
- Phase 3: Incorporation of multi-factor authentication (MFA) interception techniques to gain access to more secure systems.
Comparative Analysis of Threat Actor Groups
Different threat actor groups utilize varying methods to deploy PWAs and WebAPKs:
- Group A: Focuses on using malvertising to distribute PWAs to a wide audience. Their campaigns are characterized by a high volume of fake ads and rapid deployment of new PWAs.
- Group B: Utilizes smishing and vishing to target specific individuals, often using spear-phishing techniques to customize attacks based on the victim's profile.
- Group C: Known for their sophisticated C2 infrastructure, which allows them to remotely manage and update WebAPKs on compromised devices without user intervention.
4. Impact and Broader Implications of These Phishing Techniques
Cross-Platform Nature and User Security Concerns
The use of PWAs and WebAPKs in phishing attacks presents unique challenges:
- Cross-Platform Impact: Since PWAs are inherently cross-platform, they can target users on both desktop and mobile devices. This versatility increases the potential impact of phishing campaigns.
- User Security and Privacy: Attacks exploiting PWAs and WebAPKs compromise user privacy and security by installing malware, intercepting communications, and exfiltrating sensitive data.
Potential Future Trends and Evolving Risks
As technology evolves, so do the tactics used in phishing campaigns. Future trends may include:
- Increased Sophistication of PWAs: Attackers may develop more sophisticated PWAs that mimic legitimate apps more closely, making them harder to detect.
- Expansion to Other Platforms: With the growing popularity of non-Android operating systems, attackers may begin targeting iOS or desktop environments using similar techniques.
5. User Interaction, Awareness, and Mitigation Strategies
Exploiting User Behavior and Deceptive Interfaces
Phishing campaigns heavily exploit user behavior and interface deception:
- Deceptive User Interfaces: Fake app installation prompts that mimic legitimate update notifications or system messages.
- User Trust Exploitation: Techniques that exploit user trust, such as mimicking government or financial institution websites.
Operational Insights and Infrastructure Analysis
Our analysis of the campaigns revealed two distinct C&C infrastructures, indicating the involvement of two separate threat groups:
- Telegram Bot C&C: This group employed a backend server to capture stolen login data, which was then forwarded to a private Telegram group via the official API. The presence of a stack trace on the phishing page inadvertently exposed the Telegram API and bot token used, providing crucial insights into their operational methods.
- Traditional C&C Server with Administrative Panel: The second group managed a conventional C&C server equipped with an operator panel. This panel stored sensitive victim information, active phishing URLs, and a detailed history of interactions. When the initial domain (hide-me[.]online) was deactivated, the threat actors quickly established new domains to continue their operations. These activities also included a secondary campaign involving the NGate Android malware.
Thanks to the information retrieved from these panels, we were able to notify the affected banks and prevent further exploitation of their customers.
Emerging Threat: NGate Android Malware
A newly identified threat, NGate, targets Android devices by intercepting data read by the near-field communication (NFC) chip, enabling attackers to emulate victims’ payment cards. This capability allows for unauthorized transactions and cash withdrawals from ATMs, further highlighting the evolving sophistication of mobile phishing tactics.