Hackers have begun abusing the Android WebAPK technology to get people to install malware on their devices, a new report from the Polish Financial Supervision Authority’s Computer Security Incident Response Team (CSIRT KNF) reports.
Android WebAPK is the underlying technology powering so-called progressive web apps, or PWAs. These are a hybrid between web apps and native apps, having some features and capabilities from both. Some developers refer to progressive web apps as “installable websites”, as they can be installed on the device and offer features such as push notifications, which aren’t usually a part of a web app.
What’s more, when users install progressive web apps, they don’t need to go through the Play Store. Google explains it like this: “when a user installs a PWA from Google Chrome and a WebAPK is used, the minting server “mints” (packages” and signs an APK for the PWA.” This process is relatively slow, but once it’s done, the browser on the target endpoint will silently install the device, without disabling security, as a trusted provider signed the APK already.
In this particular case, unknown threat actors started texting customers, impersonating the Polish bank PKO Bank Polski. In the text message, they say that their banking app needs to be updated, and share a link where they can do that. Those that click the link won’t be taken to the Play Store, or a different Android app repository, but will rather be taken to a website where WebAPK technology will be used to install the malware.
After installing the malicious app, the users will be asked to type in their login credentials, as well as their multi-factor authentication (MFA) code, giving the attackers everything they need to drain the account completely.
Analysis: Why does it matter?
Banking trojans are a major risk as they’re capable of dealing immense material damage. The threat actors behind these campaigns seldom avoid targeting consumers, making the risk that much greater. What’s more, the attackers will go to lengths to make sure they impersonate the bank as best as they can, creating seemingly identical landing pages and mimicking the style and tone of the banks’ communications.
That being said, this particular campaign is also dangerous because it leverages new technologies and opens up new avenues of abuse. As such, the victims might be caught off guard, even those that are usually security-wary and aware of the dangers of phishing and social engineering. If the campaign proves to be a resounding success, chances are other threat actors will jump on the bandwagon.
To protect against such malicious apps, users should first and foremost be careful when installing new apps, or installing patches for their current software stack. The best course of action is to refrain from installing any apps that can’t be found on official repositories, such as the Play Store, or the Samsung Galaxy store. Users should also double-check everything they receive via SMS, email, or social media. If an app sends a text message asking for an update, open the official website or app store page and check if an update is available. Users can also find the latest version of the app listed, and will be able to cross-reference the numbers with what they have installed.
Finally, users should keep Google Play Protect enabled, as it’s a free antivirus app that comes with the majority of Android phones and is good enough to flag most of the malware present today. Users can always install another Android antivirus app, too.
What have others said about the campaign?
In its writeup about WebAPK technology being abused in cybercrime, the Cybersec blog also says crooks are pairing the attack with impersonation, to bypass any security measures set up by the bank: “In addition to the WebAPK attack, cybercriminals are also using specialized device spoofing tools to impersonate compromised account holders and bypass anti-fraud controls,” the report reads. “These tools, which are marketed on the dark web, are capable of spoofing mobile device fingerprints and other software and network parameters that are analyzed by anti-fraud systems. This allows threat actors to conduct unauthorized transactions via smartphones using banking malware such as TimpDoor and Clientor.”
Tom’s Guide, on the other hand, warns users that malicious apps distributed through WebAPKs are “particularly hard” for cybersecurity researchers to track, as WebAPKs have a different package name and checksum on each device they’re installed on. Furthermore, currently only the Polish bank PKO Bank Polski is being impersonated. However, that can change at any moment, with crooks targeting banks in the U.S., U.K., and around the world, the publication states. Hence, users need to remain vigilant, regardless of who sent the message, or how.
If you want to learn more about keeping your Android device secure, start by reading our in-depth guide on the best Android antivirus programs right now, as well as best Android phones overall. Also, make sure you read our guide for the best authenticator apps, and best firewalls today.