Threat actors are exploiting Android Web APK technology It tricks unsuspecting users into installing malicious web apps on their Android phones designed to obtain sensitive personal information.
CSIRT KNF researchers said the attack began when the victim received an SMS message suggesting that the mobile banking application needed to be updated. Said In an analysis published last week. “The link in the message led to a site that used WebAPK technology to install a malicious application on the victim’s device.”
The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. Details of the campaign are first shared By Polish cybersecurity firm RIFFSEC.
WebAPK allows users to install Progressive Web Apps (PWAs) on the home screen of Android devices without using the Google Play Store.
“When a user installs a PWA from Google Chrome and a WebAPK is used, the mint server “mints” (the package) and signs the PWA’s APK.” explain described in that document.
“That process will take some time, but once the APK is ready, the browser will silently install the app on the user’s device because a trusted provider (Play Services or Samsung) has signed the APK. , it will be installed on your phone without disabling security, just like any other app from the store. No need to sideload apps. โ
Once installed, the fake banking app (โorg.chromium.webapk.a798467883c056fed_v2โ) prompts the user to enter their credentials and a two-factor authentication (2FA) token, effectively leading to the theft.
“One of the challenges in combating such attacks is the fact that WebAPK applications generate different package names and checksums for different devices,” said the CSIRT KNF. โThey are dynamically constructed by the Chrome engine, making it difficult to use this data as an indicator of compromise (IoC).โ
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
To counter such threats, it is recommended to block websites that use the WebAPK mechanism to carry out phishing attacks.
The development shows that cybercriminals are increasingly using specialized device spoofing tools for Android sold on the dark web to circumvent anti-fraud controls by impersonating compromised account holders. This is in response to what Resecurity has revealed.
Detection prevention tools such as Enclave Service and MacFly can spoof mobile device fingerprints and other software and network parameters analyzed by anti-fraud systems, allowing attackers to leverage weak rogue controls to target smartphones. It can also carry out fraudulent transactions using banking malware, etc. As Timpdoor and a client.
โCybercriminals use these tools to gain access to compromised accounts, exploit stolen cookie files, spoof highly detailed device identifiers, and access fraud victimsโ unique network settings. or use them to impersonate legitimate customers,” said the cybersecurity firm. Said.
