A security researcher has discovered a phishing attack that aims to trick iPhone users into installing a supposed update to their banking app.
The attack works despite iOS protection measures because it actually “installs” a progressive web app for which there is no review or warning from the App Store…
Progressive Web Apps (PWAs)
Progressive web apps are essentially websites that look and behave like apps. When the iPhone first came out in 2007, PWAs were the only Ability for a third party to launch an app.
Apple co-founder Steve Jobs said the following about her at the time:
The entire Safari engine is built into the iPhone, so you can write great Web 2.0 and Ajax apps that look and behave just like apps on the iPhone. And these apps integrate perfectly with iPhone services. You can use them to make phone calls, send emails, or look up a location on Google Maps.
And guess what? You don’t need an SDK! You have everything you need if you know how to write apps using the most modern web standards to write amazing apps for the iPhone today. So, developers, we think we have a very nice story for you. You can start developing your iPhone apps today.
Apple soon realized that native iPhone apps would provide a better experience, and the App Store was born a year later. However, you can still use PWAs today.
Phishing attacks with fake banking app updates
Cybersecurity firm ESET discovered that PWAs target both Android and iPhone users. The attacks are carried out using different methods, including text messages, social media ads and voice calls.
The voice call is delivered via an automated call that warns the user about an outdated banking app and asks them to select an option on the numeric keypad. After pressing the correct key, a phishing URL is sent via SMS (…)
The phishing websites targeting iOS instruct their victims to add a Progressive Web Application (PWA) to their home screen, while on Android, the PWA is installed after confirming custom pop-ups in the browser. At this point, these phishing apps on both operating systems are almost indistinguishable from the genuine banking apps they imitate.
Once the user logs into the fake app, it captures their login credentials and sends them to the attacker.
iPhone owners may be at particular risk, as many assume their devices are safe from malware.
For iOS users, an animated pop-up explains to victims how to add the phishing PWA to their home screen. The pop-up copies the look of the native iOS prompts. Ultimately, not even iOS users are warned about adding a potentially malicious app to their phone.
The live examples seen in the wild so far have targeted Czech and Hungarian users, but the same techniques could easily be used worldwide.
How to protect yourself
Always be suspicious of any message claiming to be from your bank, whether it’s a text message, email or phone call. The safest bet is to hang up and call your bank using a known, real number (such as the one printed on your bank statement or payment card) to verify the information given to you before acting on it.
Every real update of a banking app is available in the App Store.
Via Macworld. Image: 9to5Mac composite with photo by Anton on Unsplash.
FTC: We use income generating auto affiliate links. More.
