Watch out – downloading that web app could infect your whole device with malware

Pls share this post

Listen to this article

Progressive Web Apps (PWA), a type of application delivered via a web browser, can be hijacked to be used for phishing, creating authentic-looking, convincing data-harvesting platforms, experts have warned.

Researcher mr.d0x, a notable figure in the cybersecurity community, particularly known for creating and sharing tools and techniques that are useful for penetration testing, red teaming, and security research, has described creating a new phishing toolkit that allows people to create PWAs which can display corporate login forms and even come with a fake address bar, showing the authentic URL, and thus looking more trustworthy.

“PWAs integrate with the OS better (i.e. they have their own app icon, can push notifications) and therefore they can lead to higher engagement for websites,” mr.d0x explained. “The issue with PWAs is that manipulating the UI for phishing purposes is possible,” he added.

READ ALSO  The importance of Hardware Security Modules (HSMs) strategy explained

Phishing templates released

PWAs are not very different from regular applications. They still need to be downloaded and installed, will be shown on the list of installed programs and apps, and will show a shortcut where designated by the user. The only difference is, once the user runs the app, it will open in the browser. That being said, the process of getting people to install a malicious PWA will not be very different from the process of getting them to install malware

However, it could be more convincing than regular programs, and as such could perform better when it comes to data harvesting and credential theft. 

READ ALSO  Seeing is believing: How AI can help visualize data to drive impact and insight

Mr.d0x released PWA phishing templates on GitHub, so that other researchers can play with the tools, as well.

“Users that don’t use PWAs often may be more susceptible to this technique as they might be unaware that PWAs should not have a URL bar. Even though Chrome appears to have taken measures against this by periodically showing the real domain in the title bar, I think people’s habits of “checking the URL” will render that measure less useful,” the researcher told BleepingComputer.

Finally, he warned that most security awareness programs are yet to include PWA phishing.

Via BleepingComputer

More from TechRadar Pro

READ ALSO  Google announces $1bn undersea cable funding


Pls share this post
Previous articleApple now offers a complete AI ecosystem
Next articleStill using classic Outlook? You can get Copilot features without migrating to the ‘new’ Outlook version