Scroll Top

WebAPK exploitation: Hackers trick Android users into installing malicious apps


Cybercriminals are capitalizing on Android’s WebAPK technology to deceive unsuspecting users into downloading and installing malicious web apps on their Android devices, putting their sensitive personal information at risk. In a recent analysis by CSIRT KNF, researchers discovered that the attack campaign begins with victims receiving SMS messages urging them to update their mobile banking application. Upon clicking the link provided in the message, users are directed to a website that utilizes WebAPK technology to install a malicious application on their devices.

The fraudulent app masquerades as PKO Bank Polski, a prominent multinational banking and financial services company headquartered in Warsaw. The details of this campaign were initially reported by Polish cybersecurity firm RIFFSEC. WebAPK allows users to install progressive web apps (PWAs) directly to their Android device’s home screen without the need to go through the Google Play Store. Google explains that when a PWA is installed using WebAPK, the browser “mints” and signs an APK (Android Package Kit) for the app, which is then silently installed on the user’s device. Since the APK is signed by trusted providers such as Play Services or Samsung, the device installs it without disabling security measures.

Once the fake banking app, identified as “org.chromium.webapk.a798467883c056fed_v2,” is successfully installed, it prompts users to enter their login credentials and two-factor authentication (2FA) tokens, which are then harvested by the cybercriminals.

One of the challenges in combating such attacks is that WebAPK applications generate unique package names and checksums on each device. CSIRT KNF notes that these details are dynamically created by the Chrome engine, making it difficult to use them as reliable Indicators of Compromise (IoCs). To mitigate these threats, it is recommended to block websites that exploit the WebAPK mechanism for phishing attacks.

In a related development, cybersecurity firm Resecurity revealed that threat actors are increasingly leveraging specialized device spoofing tools designed for Android. These tools are marketed on the dark web and aim to impersonate compromised account holders while bypassing anti-fraud controls. Tools like Enclave Service and MacFly can spoof mobile device fingerprints, software, and network parameters, which are typically analyzed by anti-fraud systems. Cybercriminals exploit weak fraud controls and employ banking malware such as TimpDoor and Clientor to carry out unauthorized transactions via compromised accounts.

By exploiting stolen cookie files, impersonating hyper-granular device identifiers, and utilizing unique network settings of fraud victims, cybercriminals employ these tools to gain access to compromised accounts and pose as legitimate customers. This highlights the need for robust anti-fraud measures and continuous security enhancements to protect against increasingly sophisticated attacks targeting mobile banking users.

As hackers continue to exploit vulnerabilities in Android devices and leverage innovative techniques, users are advised to exercise caution while downloading apps or following links, particularly those related to sensitive financial transactions. It is crucial to rely on official app stores for downloading apps and to stay vigilant to avoid falling victim to these malicious activities.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.