<\/a><\/figure>\n\n\n\nAttackers attempt to trick victims into installing a fake “new version” of their banking app. Depending on the campaign, clicking the install\/update button triggers the installation of a malicious app directly on the victim’s phone. <\/p>\n\n\n\n
For Android users, this can be a WebAPK, while for both iOS and Android users, it may be a Progressive Web Application (PWA). The installation process doesn’t trigger browser warnings about unknown apps, exploiting Chrome’s WebAPK technology. iOS users are displayed a pop-up mimicking native prompts to add the phishing PWA to their home screen, without any warnings. Upon installing the apps, victims are asked to input their banking credentials, which are then sent to the C2 servers.<\/p>\n\n\n\n
The experts noticed that the campaigns used two distinct C2 infrastructures, suggesting that two dinstict groups were operating the PWA\/WebAPK phishing campaigns against Czech\u00a0and other banks.<\/p>\n\n\n\n