Attackers use technology Android Webapk to force users to install malicious web applications designed for Android-suicide collecting confidential personal information. About this reported Poland Computer Security Incidents (Computer. Security Incident Response Team, Csirt KNF).
The attack began with the fact that the victims received SMS messages with a proposal to update the mobile banking application. The link in the message led to the site using Webapk technology to install a malicious application on the victim’s device. The application imposes itself as the largest bank of Poland Pko Bank Polski. The details of the campaign for the first time shared Polish cybersecurity company Riffsec.
Webapk allows users to install progressive web app (PWA) on the home screen of Android devices without downloading the application from the Google Play store.
As Google explains, when installing a PWA from the Google Chrome browser, using Webapk, the mining server “Chekanit” (packages) and signs APK for PWA. When APK is ready, the browser automatically sets the application on the user device. Since trusted suppliers (Google Play Services or Samsung) signed APK, the phone sets it without turning off the security system.
After installing a fake banking application (“Org.chromium.webapk.a7984678883c056fed_v2”) offers the user to enter his accounting data and two-factor authentication (2FA) tokens, which actually leads to their theft.
According to experts, one of the problems of counteracting such attacks is the fact that Webapk applications generate different names of packages