A security researcher has discovered a phishing attack intended to fool iPhone users into installing what is claimed to be an update to their banking app.
The attack works despite iOS protections because what is actually being ‘installed’ is a progressive web app, which involves no App Store vetting or warnings …
Progressive Web Apps (PWAs)
Progressive web apps are essentially websites which look and act like apps. Indeed, when the iPhone first launched back in 2007, PWAs were the only way for a third-party developer to launch an app.
Apple co-founder Steve Jobs had this to say about them at the time:
The full Safari engine is inside of iPhone. And so, you can write amazing Web 2.0 and Ajax apps that look exactly and behave exactly like apps on the iPhone. And these apps can integrate perfectly with iPhone services. They can make a call, they can send an email, they can look up a location on Google Maps.
And guess what? There’s no SDK that you need! You’ve got everything you need if you know how to write apps using the most modern web standards to write amazing apps for the iPhone today. So developers, we think we’ve got a very sweet story for you. You can begin building your iPhone apps today.
Apple soon realized native iPhone apps would deliver a better experience, and the App Store was born a year later, but you can still use PWAs today.
Phishing attacks with fake banking app updates
Cybersecurity company ESET discovered PWAs being used to target both Android and iPhone users. The attacks are being made by a variety of methods, including texts, ads on social media, and voice calls.
The voice call delivery is done via an automated call that warns the user about an out-of-date banking app and asks the user to select an option on the numerical keyboard. After pressing the correct button, a phishing URL is sent via SMS […]
The phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home-screens, while on Android the PWA is installed after confirming custom pop-ups in the browser. At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic.
Once the user logs into the fake app, it captures their login details and sends them to the attacker.
iPhone owners may be at particular risk, as many assume their devices are safe from malware.
For iOS users, an animated pop-up instructs victims how to add the phishing PWA to their home screen. The pop-up copies the look of native iOS prompts. In the end, even iOS users are not warned about adding a potentially harmful app to their phone.
The live examples seen in the wild so far have been targeting Czech and Hungarian users, but the same techniques could easily be used globally.
How to protect yourself
Always treat any claimed communication from your bank with suspicion, whether it’s a text, email, or voice call. The safest approach is always to hang up and call your bank on a known genuine number (such as the one printed on your bank statement or payment card) to verify any information you have been given before acting on it.
Any genuine update to a banking app will be available by visiting the App Store.
Via Macworld. Image: 9to5Mac composite using photo by Anton on Unsplash.
FTC: We use income earning auto affiliate links. More.