Threat actors started to use progressive web applications to impersonate banking apps and steal credentials from Android and iOS users - Using this type of apps in phishing campaigns allows evading detection, bypass app installation restrictions
Cybersecurity company ESET reports that it is currently tracking two distinct campaigns relying on this technique
Two methods
cybercriminals trick the user with a fake message about their banking app being outdated and the need to install the latest version for security reasons, providing a URL to download the phishing PWA.
In the case of malicious advertisements on social media, the threat actors use the impersonated bank’s official mascot to induce a sense of legitimacy and promote limited-time offers like monetary rewards for installing a supposedly critical app update
the two campaigns appear to be operated by different threat actors. One uses a distinct command and control (C2) infrastructure to receive stolen credentials, while the other group logs stolen data via Telegram.