Threat Actors Bypassing iOS and Android Defenses with Malicious Banking App Campaign in Eastern Europe

Cybercriminals are stepping up their game with a new malicious campaign targeting users in Eastern Europe. By disguising phishing sites as legitimate banking apps, threat actors are bypassing iOS and Android defenses using Progressive Web Applications (PWAs).

ESET has uncovered a massive operation in Eastern Europe, where users are bombarded with automated calls, SMS messages, and malicious ads prompting them to “update” their banking apps. This deceptive technique installs a phishing application from a third-party website without the user’s consent, breaking through the security barriers of iOS and Android.

Scammers lure victims by spreading malicious links through SMS, social media malvertising, and automated calls. Once users click on the link, they are directed to a fake Google Play store page or a copycat banking website, where they are prompted to install a “new version” of the banking application.

The fake app, disguised as a WebAPK or PWA, appears on the user’s home screen, mimicking a real app. When launched, it leads to a phishing login page, stealing sensitive information from unsuspecting victims.

ESET researchers have identified at least two threat actors utilizing this novel method, with different control and command infrastructures. They have taken action by reporting compromised client information to relevant banks and shutting down phishing domains and C&C servers.

As more copycat applications are expected to surface, users are warned to be cautious of granting browser API permissions to PWAs, as they could potentially access sensitive functions like the microphone and camera. Stay vigilant and protect yourself from falling victim to these sophisticated cyber threats.