July 17, 2023THNMoreMobile Security/Malware

Threat actors are exploiting Android Web APK technology It tricks unsuspecting users into installing malicious web apps on their Android phones designed to obtain sensitive personal information.

CSIRT KNF researchers said the attack began when the victim received an SMS message suggesting that the mobile banking application needed to be updated. Said In an analysis published last week. “The link in the message led to a site that used WebAPK technology to install a malicious application on the victim’s device.”

The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. Details of the campaign are first shared By Polish cybersecurity firm RIFFSEC.

WebAPK allows users to install Progressive Web Apps (PWAs) on the home screen of Android devices without using the Google Play Store.

“When a user installs a PWA from Google Chrome and a WebAPK is used, the mint server “mints” (the package) and signs the PWA’s APK.” explain described in that document.

“That process will take some time, but once the APK is ready, the browser will silently install the app on the user’s device because a trusted provider (Play Services or Samsung) has signed the APK. , it will be installed on your phone without disabling security, just like any other app from the store. No need to sideload apps. ”

malicious app

Once installed, the fake banking app (“org.chromium.webapk.a798467883c056fed_v2”) prompts the user to enter their credentials and a two-factor authentication (2FA) token, effectively leading to the theft.

“One of the challenges in combating such attacks is the fact that WebAPK applications generate different package names and checksums for different devices,” said the CSIRT KNF. “They are dynamically constructed by the Chrome engine, making it difficult to use this data as an indicator of compromise (IoC).”

upcoming webinars

Shielding Against Insider Threats: Mastering SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.

join today

To counter such threats, it is recommended to block websites that use the WebAPK mechanism to carry out phishing attacks.

The development shows that cybercriminals are increasingly using specialized device spoofing tools for Android sold on the dark web to circumvent anti-fraud controls by impersonating compromised account holders. This is in response to what Resecurity has revealed.

Detection prevention tools such as Enclave Service and MacFly can spoof mobile device fingerprints and other software and network parameters analyzed by anti-fraud systems, allowing attackers to leverage weak rogue controls to target smartphones. It can also carry out fraudulent transactions using banking malware, etc. As Timpdoor and a client.

“Cybercriminals use these tools to gain access to compromised accounts, exploit stolen cookie files, spoof highly detailed device identifiers, and access fraud victims’ unique network settings. or use them to impersonate legitimate customers,” said the cybersecurity firm. Said.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog