PWAs are a tool for cybercriminals to steal passwords or spread malware. What should you look out for to avoid falling into the trap?
We all know about traditional phishing attacks via text message or email, but have you ever heard of phishing via PWA? Progressive web apps (PWAs) are native-like apps that you install through your browser. While this provides a simple and quick alternative to traditional apps, it also opens the door for new phishing methods.
Cybercriminals trick users into installing an app through the browser, after which they can steal sensitive data or spread malware. Because PWAs do not undergo the same security checks as apps in official app stores, vigilance is important to recognize and prevent such attacks.
What are PWAs?
Progressive Web Applications (PWAs) are Web apps that combine the experience of a native app with the accessibility of a Web site. They work in the browser but, like traditional apps, can function offline, send push notifications and be installed on a device’s home screen.
It is a way for developers to offer simple and lightweight apps without requiring users to install a full native app. PWAs are supported by most browsers, such as Google Chrome and other Chromium-based browsers (Edge, Opera, Vivaldi, etc.).
Phishing via PWA
In traditional phishing, criminals try to lure you to a fake website by offering a rogue link, which usually reaches you via text message or email. Once you click on the link, you will be asked to provide personal information such as bank details or passwords. This form of phishing is by now very well known. There are several ways you can recognize such rogue links.
A lesser-known form of phishing is via PWA. Similar to the traditional approach, attackers will also lure you to a website via a malicious link. In this case, not to immediately give up your data, but to trick you into installing a PWA. This allows attackers not only to obtain sensitive information, but also to install malware.
How it works
How does a phishing attack via a PWA work? Like traditional phishing, the attack starts with the distribution of malicious links through various channels, such as text message or email. This link will take you to a rogue website that will convince you to install a PWA. This all happens very quickly as the installation is almost instantaneous.
The PWA installation appears at the top in a pop-up where the application name, logo and website are listed. These all look realistic, except for the original source entry. This is listed on the second line and, unlike the name and logo, cannot be set as desired by the attacker. Unfortunately, this line is less noticeable.
Then click on Install, then a new phishing page appears. Characteristic of this page is the false url bar, which shows a legitimate-looking url. You are then asked to enter your login credentials, which are then sent directly to the attacker.
Vigilance
Phishing via PWA is basically quick to spot. Moreover, you can question its legitimacy at various points in the process: from rogue link to, suspicious source and fake url bar. Still, installing a PWA is a simple and quick process, where such details are easily overlooked.
In addition, PWAs do not enjoy the same security checks and alerts, such as malware scans and privacy checks, compared to traditional apps in official app stores. This is because such apps are installed directly through a Web browser and do not have to be approved by an app store.
Most modern browsers today have better embedded phishing protection, although not specifically targeted at phishing via PWA. For example, Google Chrome has Safe Browsing, which detects and alerts rogue Web sites in real time. You can also regularly check and manage your installed PWAs yourself by browsing to chrome://apps. Being vigilant and critical with every suspicious link or website remains the order of the day.