Official forum for Utopia Community

You are not logged in.

#1 2023-07-17 23:49:07

Registered: 2023-01-04
Posts: 2,191

Android users are tricked by hackers using WebAPK to install malicious

Threat actors are using Android's WebAPK technology to deceive gullible users into installing malicious web apps on their phones that are intended to collect sensitive personal data.

Researchers from CSIRT KNF wrote in a report published last week that "the attack began with victims receiving SMS messages suggesting the need to update a mobile banking application.". The message's link took the recipient to a page where a malicious app was installed on their device using WebAPK technology. ".

The program poses as PKO Bank Polski, a global provider of banking and financial services with its headquarters in Warsaw. Polish cybersecurity company RIFFSEC was the first to disclose information about the campaign.

Android users can install Progressive Web Apps (PWAs) directly to their home screen using WebAPK, bypassing the Google Play Store.

According to Google's documentation, "when a user installs a PWA from Google Chrome and a WebAPK is used, the minting server "mints" (packages) and signs an APK for the PWA.".

Although it takes some time, the browser silently installs the APK on the user's device once it is complete. The phone installs the APK without disabling security, just like with any app downloaded from the store, because trusted providers (Play Services or Samsung) signed it. No sideloading of the app is required. ".

malicious applications.

When installed, the phony banking application ("org .
Users are prompted to enter their login information and two-factor authentication (2FA) tokens by the URL ("a798467883c056fed_v2"), which effectively makes them vulnerable to theft.

According to CSIRT KNF, "one of the challenges in countering such attacks is that WebAPK applications generate different package names and checksums on each device.". They are dynamically constructed by the Chrome engine, which makes it challenging to use this data as Indicators of Compromise (IoC). ".

Blocking websites that use the WebAPK mechanism to conduct phishing attacks is advised to counter such threats.

The development follows Resecurity's disclosure that cybercriminals are increasingly using specialized Android device spoofing tools that are sold on the dark web in an effort to pass off as compromised account holders and avoid anti-fraud measures.

Threat actors can take advantage of lax fraud controls to carry out unauthorized transactions via smartphones using banking malware like TimpDoor and Clientor by using antidetect tools like Enclave Service and MacFly, which are able to spoof mobile device fingerprints and other software and network parameters that are analyzed by anti-fraud systems.

The cybersecurity firm claimed that "cybercriminals use these tools to access compromised accounts and impersonate legitimate customers by exploiting stolen cookie files, faking hyper-granular device identifiers, and utilizing fraud victims' unique network settings.".


Board footer

Powered by FluxBB