Posted on July 19, 2023 at 6:05 AM
Cybersecurity Threat: Attackers Exploit WebAPK Technology to Install Malicious Apps on Android Devices
According to recent reports, Android’s WebAPK technology is being misused by bad actors in a new campaign that revolves around tricking unsuspecting users into downloading malicious software. Security experts have warned that WebAPK technology plays a crucial role, as hackers are using it to deceive Android users and get them to install malicious apps on their phones.
The apps were designed to extract sensitive personal information and send it back to the hacker, who can then misuse it in a number of different ways.
Details of the new campaign
CSIRT KNF researchers posted an analysis of the campaign last week, stating that the attacks started with the victims receiving SMS messages that suggested that they should update their mobile banking application. The messages also contained a link that would lead users to a website that used WebAPK technology to install malicious apps on the victim’s device.
The app impersonates a multinational banking and financial services company, PKO Bank Polski. This is a bank based in Warsaw. Due to the close connection to the case, it was actually the Polish cybersecurity company RIFFSEC that first shared the details of the campaign.
As for WebAPK, it allows users to install various progressive web applications (PWAs) onto the home screens of their Android devices. Essentially, this allows users to bypass Google Play Store. Typically, installing the apps directly from the developers’ websites is not a problem when it comes to trusted services. This is why this feature exists, after all.
However, when hackers misuse this technology, users can easily install malicious apps, not knowing the difference. But, to be fair, Google Play Store has seen its fair share of malicious apps that manages to sneak past the company’s defenses, so users are never 100% safe when installing applications. This is why they are always advised to read reviews and carefully consider any app that they wish to install.
But, given that the hackers impersonated a banking service, it is understandable why many believed that this was a legitimate request to update the app.
Hackers have a safe way into targeted devices
Google itself explained the matter by saying: “When a user installs a PWA from Google Chrome, and a WebAPK is used, the minting server “mints” (packages) and signs an APK for the PWA.” The tech giant added that the process takes time, but when the APK is ready, the browser simply installs the app silently onto the user’s device. The phone installs it without sounding the alarms, because trusted providers, such as Samsung or Play Services, signed the APK.
Of course, for hackers, this means a safe way without worrying about the users realizing what is happening and interrupting the installation process. Then, once it gets installed, the fake banking app urges users to enter their login credentials and 2FA tokens. This information is swiftly delivered to the hacker who set up the operation, who currently has the users’ login credentials.
CSIRT KNF commented that one of the biggest challenges in countering attacks like this is the fact that WebAPK apps generate different package names and checksums on every device. “They are dynamically built by the Chrome engine, which makes the use of this data as Indicators of Compromise (IoC) difficult.”
According to experts, the most reliable way of countering these threats is to block websites that use WebAPK technology to carry out attacks.
Hackers are using special tools to bypass anti-fraud controls
Interestingly, the new campaign emerged after Resecurity revealed that online criminals are leveraging specialized device spoofing tools for Android, which were advertised on the dark web as devices that allow hackers to impersonate compromised account holders. This would be an efficient method of bypassing anti-fraud controls.
Furthermore, there are anti detect tools, like MacFly and Enclave Service, which are able to spoof mobile device fingerprints and other network parameters and software that anti-fraud systems focus on.
Commenting on this, Resecurity said that criminals tend to use such tools for accessing compromised accounts. They impersonate real customers by stealing and exploiting cookie files.