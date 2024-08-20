A recently discovered sophisticated mobile phishing technique has been observed in financial fraud campaigns across the Czech Republic, Hungary and Georgia.

This phishing method leverages progressive web applications (PWA), these types of web applications offer a native-app-like experience and are gaining momentum on both Android and iOS devices.

This technique is noteworthy because it installs a phishing application from a third-party website without the user having to allow third-party app installation, said ESET, the cybersecurity firm which detected the campaigns.

Decoding PWA Phishing on iOS and Android

This new phishing technique is only possible because of how PWAs work, bypassing the need for the user to allow third-party installation on their mobile.

On iOS, phishing websites impersonating well-known applications’ landing pages and instruct victims to add a PWA to their home screens.

Before the landing pages are set up, the threat defined the target PWA as a standalone in a single file called the manifest that rules how the PWA will behave. This results in the PWA behaving like a regular mobile app.