New Use of WebAPK Revealed: Fraudsters Disguised as a Bank Steal Data
Poland’s largest bank has become a phishing weapon.
Attackers use Android WebAPK technology to force users to install malicious web applications on Android smartphones designed to collect sensitive personal information. About it reported Poland Computer Security Incident Response Team (CSIRT KNF) specialists.
The attack began when victims received SMS messages asking them to update their mobile banking app. The link in the message led to a site that uses WebAPK technology to install a malicious application on the victim’s device. The application pretends to be the largest bank in Poland PKO Bank Polski. Campaign details for the first time shared Polish cybersecurity firm RIFFSEC.
As Google explains, when installing a PWA from the Google Chrome browser using WebAPK, the minting server “mints” (packages) and signs the APK for the PWA. When the APK is ready, the browser automatically installs the app on the user’s device. Because trusted providers (Google Play Services or Samsung) signed the APK, the phone installs it without disabling the security system.
Once installed, the fake banking app (“org.chromium.webapk.a798467883c056fed_v2”) prompts the user to enter their credentials and two-factor authentication tokens (2FA), which actually leads to their theft.
According to experts, one of the challenges to countering such attacks is the fact that WebAPK applications generate different package names and checksums on each device. They are dynamically generated by the Chrome engine, making it difficult to use this data as indicators of compromise (IoC).
To counter such threats, it is recommended to block websites that use the WebAPK mechanism to carry out phishing attacks.