“The attack began with victims receiving SMS messages suggesting the need to update the mobile banking application,” researchers at CSIRT KNF said in an analysis released last week. “The link contained in the message led to a site that used WebAPK technology to install a malicious application on the victim’s device.”
The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. The details of the campaign were first shared by RIFFSEC, a Polish cyber security firm.
WebAPK allows users to install Progressive Web Apps (PWAs) on their home screen on Android devices without using the Google Play Store.
Google states in their documentation, “When a user installs a PWA from Google Chrome and uses WebAPK, the minting server “mints” (packages) and signs an APK for the PWA.”
“That process takes time, but when the APK is ready, the browser silently installs that app on the user’s device. Because trusted providers (Play Services or Samsung) have signed the APK, phone security is guaranteed.” Installs it without disabling, as it would with any app. No need to sideload the app.”
Once installed, the fake banking app (“org.chromium.webapk.a798467883c056fed_v2”) prompts users to enter their credentials and two-factor authentication (2FA) token, effectively resulting in their theft Is.
“One of the challenges in countering such attacks is the fact that WebAPK applications generate different package names and checksums on each device,” said CSIRT KNF. “They are dynamically generated by the Chrome engine, which makes it difficult to use this data as an Indicator of Compromise (IoC).”
To counter such threats, it is recommended to block websites that use the WebAPK mechanism to execute phishing attacks.
The development comes as ReSecurity revealed that cybercriminals are increasingly taking advantage of specialized device spoofing tools for Android, which are being used on the dark web to impersonate compromised account holders and bypass anti-fraud controls.
Antidetect tools including Enclave Service and McFly are capable of spoofing mobile device fingerprints and other software and network parameters that are analyzed by anti-fraud systems, as well as unauthorized transactions via smartphones to take advantage of weak fraud controls There are also threat actors using banking malware to do the same, As Timpdoor and Customer.
The cyber security company said, “Cyber criminals use these tools to access compromised accounts and impersonate legitimate customers using stolen cookie files, hyper-granular device identifiers and unique network settings of fraud victims.”