Threat actors take advantage of Android WebAPK Technology to trick unsuspecting users into installing rogue web apps on Android phones designed to capture sensitive personal information.
“The attack begins with the victim receiving an SMS message suggesting the need to update the mobile banking application,” said researchers from CSIRT KNF said in the analysis released last week. “The link contained in the message leads to a site that uses WebAPK technology to install malicious applications on the victim’s device.”
The app masquerades as PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. Campaign details first shared by Polish cybersecurity company RIFFSEC.
WebAPK allows users to install progressive web apps (PWA) to their home screens on Android devices without having to use the Google Play Store.
“When a user installs a PWA from Google Chrome and uses WebAPK, the printing server “mints” (packages) and signs the APK for the PWA,” Google explain in the documentation.
“That process takes time, but when the APK is ready, the browser silently installs the app on the user’s device. Since a trusted provider (Play Services or Samsung) signs the APK, the phone installs it without disabling security, like any app that comes from store. No need to override the app.”
Once installed, the fake banking app (“org.chromium.webapk.a798467883c056fed_v2”) prompts users to enter two-factor authentication (2FA) credentials and tokens, effectively resulting in theft.
“One of the challenges in countering such attacks is the fact that the WebAPK application generates a different package name and checksum on each device,” said the KNF CSIRT. “They are dynamically generated by the Chrome engine, which makes using this data as a Compromise Indicator (IoC) difficult.”
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
To deal with the threat, it is recommended to block websites that use the WebAPK mechanism to carry out phishing attacks.
The development comes as Resecurity discloses that cybercriminals are increasingly leveraging specific device spoofing tools for Android marketed on the dark web in an attempt to impersonate compromised account holders and bypass anti-fraud controls.
Anti-detection tools, including Enclave Service and MacFly, are capable of spoofing mobile device fingerprints and other software and network parameters analyzed by anti-fraud systems, with threat actors also leveraging weak fraud controls to carry out unauthorized transactions via smartphones using banking malware such as TimpDoor and Clientor.
“Cybercriminals use these tools to access compromised accounts and impersonate legitimate customers by exploiting stolen cookie files, impersonating hyper-granular device identifiers, and leveraging the dupe victim’s unique network settings,” the cybersecurity firm said.