You are here

HomeJohn Lister › Banking Scam Bypasses iOS, Android App Store Vetting

Banking Scam Bypasses iOS, Android App Store Vetting

John Lister's picture
by John Lister on August, 26 2024 at 01:08PM EDT

A useful web feature could be a serious phishing risk according to security researchers. They say scammers are using "progressive web apps" to bypass Android and iOS security features.

In simple terms, a progressive web app is a mix of a website and a standalone application. It's technically a website and uses web technologies, allowing for instant updates. However, it looks and feels more like a standalone app and can often access more of a device's resources than a web browser.

Security firm ESET says scammers are using progressive web apps as a way to overcome a major limitation in scams designed to get hold of personal information. A scammer would ideally like to get a user to install software on a phone or tablet and then remotely use that software to get the data.

No App Store Vetting

The problem for the scammers is that Apple and Android devices both have restrictions. iPhones and iPads will only install apps from the official Apple Store while Android's default setting is to only install from the Google Play store. The scammers would either need to get past the security vetting to get in the official stores (which is difficult, if not impossible) or persuade an Android user to change default security settings to install from an alternative source, which often raises suspicions.

The new scam, which ESET has spotted in several Eastern European counties, is to trick the user into installing a progressive web app, which doesn't go through an app store. They will usually do this by creating a fake message such as a text message or social media post, that asks the user to install an update to an official banking app. (Source: welivesecurity.com)

Bogus Bank App

In most cases the user will know the message is bogus because they don't have the app installed. The beauty of the scam is that people who do install the bogus app are almost certainly customers of the bank in question and users of its official app. This makes it more likely they will fall for the next stage of the scam, which is them accessing the bogus app and typing in personal details. (Source: arstechnica.com)

The best advice is to only install either apps or updates from directly in the official app store, ignoring links or messages telling the user to do it another way.

What's Your Opinion?

Were you aware of progressive web apps? Do you use any banking apps on your phone? How do you keep on top of app updates on your mobile device?

Filed under:
Security
| Tags:
web app
,
banking
,
app
,
scam
,
scammers
,
progressive web app
,
pwa
,
security
Rate this article: 
Average: 4.9 (9 votes)
Need Help? Ask!



My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).

We are BBB Accredited

We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.