Hackers are using a new technique to trick iOS and Android users into installing malicious apps that bypass security measures put in place by Apple and Google to prevent unauthorized apps.
Both mobile operating systems use mechanisms designed to help users avoid apps that steal their personal information, passwords, or other sensitive data. iOS prohibits the installation of any apps other than those available in its App Store, an approach widely known as the Walled Garden. Android, on the other hand, is configured by default to only allow apps available in Google Play. Sideloading (or installing apps from other markets) must be manually allowed, something Google warns against.
When native apps aren’t
The phishing campaigns that have been making the rounds on social media over the past nine months are using novel means to bypass these protections. The goal is to trick targets into installing a malicious app that masquerades as an official app from the target’s bank. Once installed, the malicious app steals account credentials and sends them to the attacker in real time via Telegram.
“This technique is notable because it installs a phishing app from a third-party website without the user having to authorize the third-party app to be installed,” Jakub Osmani, an analyst at security firm ESET, wrote Tuesday. “For iOS users, such an action could break any assumptions of a ‘walled garden’ in security. On Android, it could result in the silent installation of a special type of APK, which upon closer inspection even appears to have been installed from the Google Play Store.”
The new method involves getting users to install a specific type of app called a Progressive Web App. These apps rely solely on web standards to provide features that have the feel and behavior of a native app, without the restrictions that come with it. Using web standards means that PWAs, as they’re called, will theoretically work on any platform running a standards-compliant browser, allowing them to work equally well on iOS and Android. Once installed, users can add PWAs to their home screen, giving them a striking resemblance to native apps.
While PWAs can apply to both iOS and Android, Osmani’s post uses PWA to apply to iOS apps and WebAPK for Android apps.
Enlarge / I installed a phishing PWA (left) and a real banking app (right).
ESET
Enlarge / Comparison between an installed phishing WebAPK (left) and a real banking app (right).
ESET
The attack begins with a message sent via SMS, automated call, or malicious ad on Facebook or Instagram. When targets click on the link in the fraudulent message, they open a page that looks like the App Store or Google Play.
Example of malicious advertising used in these campaigns.
ESET
Phishing landing page imitating Google Play.
ESET
ESET’s Osmani continued:
Victims are then prompted to install a “new version” of the banking app; an example is shown in Figure 2. Depending on the campaign, clicking the install/update button initiates the installation of a malicious app from the website, directly onto the victim’s phone, either as a WebAPK (for Android users only) or as a PWA for iOS and Android users (if the campaign is not WebAPK-based). This crucial installation step bypasses traditional browser warnings about “installing unknown apps”: this is the default behavior of Chrome’s WebAPK technology, which is being abused by attackers.
Example of Copycat installation page.
ESET
The process is a bit different for iOS users, as an animated pop-up window instructs victims on how to add the phishing PWA to their home screen (see Figure 3). The pop-up window mimics the look and feel of native iOS prompts. In the end, even iOS users aren’t notified that a potentially dangerous app is being added to their phone.
Figure 3 iOS contextual instructions after clicking “Install” (credit: Michal Bláha)
ESET
After installation, victims are prompted to submit their online banking credentials to access their account via the new mobile banking app. All submitted information is sent to the attackers’ C&C servers.
The technique is even more effective because the application information associated with the WebAPKs will show that they were installed from Google Play and that no system privileges were assigned to them.
WebAPK Info Menu: Notice the “No Permissions” section at the top and the “App Store Details” section at the bottom.
ESET
So far, ESET is aware of this technique being used against banking customers primarily in the Czech Republic and to a lesser extent in Hungary and Georgia. The attacks used two separate command and control infrastructures, indicating that two different threat groups are using this technique.
“We expect more copycat apps to be created and distributed because after installation it is difficult to separate legitimate apps from phishing ones,” Osmani said.
