Source URL: https://www.securityweek.com/new-phishing-technique-bypasses-security-on-ios-and-android-to-steal-bank-credentials/
Source: Hacker News
Title: New Phishing Technique Bypasses Security on iOS and Android to Steal Bank Creds
Feedly Summary: Comments
AI Summary and Description: Yes
**Summary:** This text discusses a new phishing tactic identified by ESET that targets mobile banking users on iOS and Android. It highlights how attackers create deceptive Progressive Web Applications (PWAs) and WebAPKs that mimic legitimate banking apps, enabling them to bypass security measures and steal users’ login credentials.
**Detailed Description:**
– **Tactic Overview:** ESET, a well-known anti-malware vendor, has observed a novel phishing strategy that employs web applications masquerading as authentic banking software to deceive users into providing sensitive information.
– **Attack Methods:**
– **Use of Progressive Web Applications (PWAs):** These applications are designed to function like native apps while being web-based. Their ability to be added to home screens without requiring third-party application permissions poses a security risk.
– **WebAPKs:** On Android devices, attackers also utilized WebAPKs, which further disguise themselves as standard applications downloaded from Google Play, creating an additional layer of deception.
– **User Interaction:**
– In the attacks, iOS users are directed to save the PWA on their home screen, while Android users encounter custom pop-up confirmations that lead to the installation of malicious applications.
– Importantly, these malicious applications do not trigger typical installation warnings, making them appear safe to users.
– **Phishing Process:**
– Users are lured via automated calls, social media ads, and SMS messages containing links to download the compromised applications.
– Once installed, these applications present users with a phishing page that resembles the official mobile banking interface, prompting them to enter login details.
– **Data Harvesting and Threat Actor Insights:**
– The gathered credentials are sent to command-and-control (C&C) servers operated by the attackers, facilitating the exploitation of user accounts.
– ESET has noted an increase in these phishing attempts starting from November 2023, with certain C&C servers identified as operational from March 2024, and communication channels like Telegram bots being utilized to further enhance data collection efforts.
– **Geographical Focus:**
– The primary targets of this phishing scam have been mobile banking users in the Czech Republic, with some attacks extending to users in Hungary and Georgia.
– **Future Implications:**
– The prevalence of such sophisticated phishing tactics raises concerns regarding the potential proliferation of similar malicious apps as attackers may develop more sophisticated copycat applications that are difficult to identify as fraudulent.
This information is crucial for security professionals, particularly those involved in mobile security and phishing prevention, as it underscores the evolving tactics utilized by cybercriminals as well as the need for enhanced security measures in detecting and preventing such threats.