top of page
Foto del escritorJavier Conejo del Cerro

Critters feasting on robots and apples


These days, phishing scams have become increasingly sophisticated, blending new technology with old tricks to deceive users into divulging sensitive information. The latest development, unfolded by ESET researchers, is one of the latest phishing methods targeting both Android and iPhone devices, via fake banking apps disguised as legitimate ones.


These scams exploit Progressive Web Applications (PWAs), using the versatility of web-based software to craft realistic apps that trick users into sharing personal data such as passwords and banking details.


Its distinction is the use of PWAs, which allow apps to behave like native applications without the need for users to install them through official app stores. Unlike standard apps, PWAs run directly in the web browser, making them harder to detect and offering cybercriminals a shortcut to bypass Google and Apple security controls.


This method poses a novel threat because it relies on the victim’s trust in what appears to be a legitimate banking app, all while the concealed code siphons sensitive information.


How the Scam Works: Step-by-Step Breakdown


The scam usually begins with the victim receiving a phishing link, which could be delivered via SMS, email, or even maladvertising on social media. When the user clicks on the link, they are redirected to an URL that mimics a trusted bank's website. Afterwards, users are instructed to install what they believe to be the official banking app, either by downloading an APK file on Android or adding a PWA shortcut to their home screen on iOS.


  • For Android users, the scam is particularly effective because it often involves a measly of pop-up notifications that successfully impersonate the official app. Users are to confirm multiple prompts, adding legitimacy to the project. Once the fake PWA is installed, it behaves like the actual banking app, but any data submitted by the user, such as login credentials or financial information, is picked by the attackers.


  • For iPhone users, the process is slightly different. Apple’s iOS is designed to be more restrictive in terms of app installations, but this is where PWAs come in handy for scammers. The victim is instructed to add the PWA directly to their home screen, bypassing the need to download anything through the App Store. This allows the fake app to blend in with legitimate apps, creating a sense of authenticity.


No matter the OS, the phishing app captures passwords, monitors user activity, and harvests banking information due to the user‘s unwittingness. This is a red flag because the breach is totally inconspicuous, with users believing they are interacting with a genuine banking app.


The Distribution of Phishing Apps


These fake banking apps spread through various channels, like phone calls, SMS text messages, and social media advertisements, which allows attackers to get to a wide audience and lure victims with promises of deals and discounts

.

Social engineering is leveraged via compelling messages created to spread a sense of urgency or importance, urging them to download the fake app fully trusting it.


How to Protect Yourself


There are several steps users can take to protect themselves from falling victim to this type of phishing scam:


  1. Watch out for links in random messages – Via SMS, email, or social media ads, make sure the source is legitimate before clicking on any links, especially those who request an input of data.


  2. Avoid downloads from unofficial sources – Always download from official app stores like Google Play and the Apple App Store. PWAs don’t require app store downloads, therefore users should be cautious when getting web apps installed to their home screens.


  3. Verify who is behind the app – If you hesitate about who is behind a banking app, get in touch with your bank via official channels to make sure you are downloading the correct app.


  4. Turn on two-factor authentication (2FA) – That extra layer of security can help prevent unauthorized access, even if your login credentials are have been stolen.


  5. Keep your device updated – Regular updates often include important security patches that can protect against the latest threats more effectively.





12 visualizaciones0 comentarios

Comments


bottom of page