Threat actors leverage Android’s WebAPK technology to trick unsuspecting users into installing malicious web apps on their Android smartphones designed to obtain sensitive personal information.
CSIRT KNF researchers said in an analysis released last week that “the attack began with the victim receiving an SMS message suggesting the need to update their mobile banking application.” “The link in the message led to a site that used WebAPK technology to install a malicious application on the victim’s device.”
The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. For campaign details, first shared By Polish cybersecurity firm RIFFSEC.
WebAPK allows users to install Progressive Web Apps (PWAs) on the home screen of Android devices without using the Google Play Store.
“When a user installs a PWA from Google Chrome and a WebAPK is used, the mint server “mints” (packages) and signs the PWA’s APK,” Google explains in its documentation.
“That process will take some time, but once the APK is ready, the browser will silently install the app on the user’s device because a trusted provider (Play Services or Samsung) has signed the APK. , will install that app on your phone without disabling security, just like any other app that comes from the store. No need to sideload apps. ”
Once installed, the fake banking app (“org.chromium.webapk.a798467883c056fed_v2”) prompts the user to enter their credentials and a two-factor authentication (2FA) token, effectively leading to the theft.
“One of the challenges in combating such attacks is the fact that WebAPK applications generate different package names and checksums for different devices,” said the CSIRT KNF. “They are dynamically constructed by the Chrome engine, making it difficult to use this data as an indicator of compromise (IoC).”
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
To counter such threats, it is recommended to block websites that use the WebAPK mechanism to carry out phishing attacks.
The development shows that cybercriminals are increasingly using specialized device spoofing tools for Android sold on the dark web to circumvent anti-fraud controls by impersonating compromised account holders. This was done in response to what Resecurity revealed.
Detection prevention tools such as Enclave Service and MacFly can spoof mobile device fingerprints and other software and network parameters analyzed by anti-fraud systems, allowing attackers to leverage weak rogue controls to target smartphones. It can also use banking malware, etc., to carry out fraudulent transactions. As Timpdoor and a client.
“Cybercriminals use these tools to gain access to compromised accounts, exploit stolen cookie files, spoof highly detailed device identifiers, and access fraud victims’ unique network settings. By doing so, they impersonate legitimate customers,” said the cybersecurity firm.
