ESET, a leading company in proactive threat detection, identified a phishing campaign targeting mobile users that targeted bank customers. This novel technique installs a phishing app from a third-party website without the user having to allow the installation of third-party apps, and affects both iOS and Android users. Most of the known cases so far have occurred in the Czech Republic, and apps targeted the Hungarian bank OTP Bank and the Georgian bank TBC Bank.

ESET's research team identified a series of phishing campaigns targeting mobile users that used three different URL delivery mechanisms: automated voice calls, SMS messages, and malvertising on social media.

The voice call delivery was done through an automated call that warned the user about an outdated banking app and asked them to select an option on the numeric keypad. After clicking the correct button, a phishing URL was sent via SMS.

The initial SMS approach was done by indiscriminately sending messages to Czech phone numbers. The message sent included a phishing link and a text to socially engineer victims into visiting the link.

The spread via malicious ads was done by registering ads on Meta platforms such as Instagram and Facebook. These ads included a call to action, such as a limited offer for users to “download an update below.” This technique allowed the threat actors to specify the target audience by age, gender, etc. The ads then appeared on the victims’ social media accounts.

After opening the URL delivered in the first stage, Android victims were presented with a high-quality phishing page that mimicked the official Google Play store page for the targeted banking app, or a copycat website for the app.

From there, victims are asked to install a “new version” of the banking app. Depending on the campaign, clicking the install/update button initiates the installation of a malicious app from the website, directly onto the victim’s phone, either in the form of a WebAPK (for Android users only), or as a Progressive Web App (PWA) for iOS and Android users. What’s notable about this instance is that it bypasses traditional browser warnings to “install unknown apps” – this is the default behavior of Chrome’s WebAPK technology, which is abused by attackers.

The process is a bit different for iOS users, as an animated pop-up tells victims how to add the phishing PWA to their home screen. The pop-up copies the look of native iOS prompts. In the end, iOS users are not warned about adding a potentially harmful app to their phone.

After installation, victims are asked to enter their online banking credentials to access their account via the new mobile banking app. All information provided is sent to the attackers’ C&C servers.

The malicious ads included a mix of the bank’s official mascot (blue chameleon), as well as bank logos and text promising a financial reward upon installing the app or warning users that a critical update had been released.

All stolen login information was logged via a backend server, which then sent the user’s entered banking login details to a Telegram group chat. HTTP calls to send messages to the threat actor’s group chat were made via the official Telegram API. According to ESET, this technique is not new and is used in several phishing kits.

“Since two drastically different C&C infrastructures were employed, we have determined that two different groups are responsible for spreading the phishing apps. More copycat apps will surely be created, as it is difficult to separate legitimate from phishing apps after installation. “All sensitive information found during our investigation was quickly forwarded to the affected banks for processing. We also coordinated the takedown of multiple phishing domains and C&C servers,” said Camilo Gutiérrez Amaya, Head of the ESET Latin America Research Laboratory.

https://newsinamerica.com/pdcc/gente/tecnologia/2024/nuevo-metodo-de-phishing-adaptado-a-usuarios-de-android-e-ios/