Full Report
ESET analysts dissect a novel phishing method tailored to Android and iOS users
Analysis Summary
# Tool/Technique: PWA/WebAPK Phishing Campaigns
## Overview
This refers to a novel phishing technique observed targeting mobile users (both Android and iOS) by distributing malicious applications disguised as legitimate banking apps. The infection vector leverages **Progressive Web Applications (PWAs)** for iOS and a combination of PWAs and **WebAPKs** (a specific Android packaging format for PWAs) for Android. A key feature is that this installation method bypasses traditional security warnings about installing third-party applications.
## Technical Details
- Type: Technique (Phishing via PWA/WebAPK installation)
- Platform: Android, iOS
- Capabilities: Install highly realistic, deceptive applications that mimic legitimate banking apps; bypass standard third-party installation warnings; harvest credentials.
- First Seen: Initial PWA phishing disclosure in Poland (July 2023); transition to WebAPKs observed mid-November 2023.
## MITRE ATT&CK Mapping
- **Initial Access**
- [T1660 - Phishing]
- Applications are distributed via malicious advertising (Meta platforms), SMS messages, or automated voice calls that direct users to phishing URLs.
- **Credential Access**
- [T1417.002 - Input Capture: GUI Input Capture]
- Credentials are harvested by impersonating the login pages of targeted banks within the installed PWA/WebAPK.
- **Command and Control**
- [T1437.001 - Application Layer Protocol: Web Protocols]
- PWA/WebAPK phishing apps send harvested login data (and tracking data) via underlying web protocols using JavaScript interfaces.
## Functionality
### Core Capabilities
- **Distribution:** Utilized automated calls (leading to SMS delivery), direct SMS phishing, and malvertising on platforms like Instagram and Facebook to deliver initial phishing links.
- **Installation Deception:** On Android, WebAPKs installed are made to appear as if they originated from the Google Play store, and installation does not trigger standard warnings for unknown apps (leveraging the default behavior of Chrome’s WebAPK technology).
- **User Interface Mimicry:** Utilized high-quality phishing pages imitating official Google Play store pages, or specific app copycat websites.
- **iOS Installation:** Instructed iOS users via animated pop-ups (mimicking native prompts) to add the phishing PWA to their home screen, avoiding third-party installation warnings.
### Advanced Features
- **C&C Communication:** Submitted harvested login credentials to attacker-controlled Command and Control (C&C) servers.
- **Dual Campaign Tracking:** Analysis suggested two different threat actors were operating distinct campaigns based on backend infrastructure and C&C servers.
- **Operator Panels:** Discovery of operator panels allowed researchers to proactively notify targeted banks.
## Indicators of Compromise
- File Hashes:
- SHA-1: `D3D5AE6B8AE9C7C1F8690452760745E18640150D` (Associated with Android/Spy.Banker.CIC)
- SHA-1: `66F97405A1538A74CEE4209E59A1E22192BC6C08` (Associated with Android/Spy.Banker.CLW)
- File Names: `base.apk` (for Android components)
- Registry Keys: Not specified in analysis.
- Network Indicators:
- C&C Server: `46.175.145[.]67` (Domain: `hide-me[.]online`)
- C&C Server: `185.181.165[.]124` (Domain: `cyrptomaker[.]info`)
- C&C Server: `172.67.182[.]151` (Domain: `blackrockapp[.]eu`)
- Distribution Server: `185.68.16[.]56` (Domain: `csas.georgecz[.]online`)
- Distribution Server: `188.114.96[.]9` (Domain: `play-protect[.]pro`)
- Behavioral Indicators: Prompts to submit banking credentials directly through the installed PWA/WebAPK interface after installation.
## Associated Threat Actors
- Two distinct threat actors inferred based on differing C&C infrastructure.
- Campaigns targeted clients of prominent Czech banks, a Hungarian bank (OTP Bank), and a Georgian bank.
## Detection Methods
- Signature-based detection: Specific hashes provided for identified Android phishing apps (`Android/Spy.Banker.CIC`, `Android/Spy.Banker.CLW`).
- Behavioral detection: Monitoring for processes that mimic legitimate banking apps and initiate data submission via unexpected web protocols or interfaces immediately after installation from a non-store source.
- YARA rules: Not explicitly provided in the text.
## Mitigation Strategies
- User education emphasizing the danger of unexpected app installations, even if they appear to be from official stores/sources via a browser prompt.
- Security teams targeting mobile users should monitor for suspicious SMS/voice communications pointing to external URLs.
- For organizational security, monitoring for unusual ad campaigns targeting employees on social media platforms.
## Related Tools/Techniques
- Standard phishing (T1660).
- Use of Web Cache Deception (implied by the convincing store-like page presentation, though not explicitly named).
- General mobile banking trojans/malware families targeting the listed banking regions.