Watch out - downloading that web app could infect your whole device with malware

Cartoon Phishing
(Image credit: Shutterstock / DRogatnev)

Progressive Web Apps (PWA), a type of application delivered via a web browser, can be hijacked to be used for phishing, creating authentic-looking, convincing data-harvesting platforms, experts have warned.

Researcher mr.d0x, a notable figure in the cybersecurity community, particularly known for creating and sharing tools and techniques that are useful for penetration testing, red teaming, and security research, has described creating a new phishing toolkit that allows people to create PWAs which can display corporate login forms and even come with a fake address bar, showing the authentic URL, and thus looking more trustworthy.

"PWAs integrate with the OS better (i.e. they have their own app icon, can push notifications) and therefore they can lead to higher engagement for websites," mr.d0x explained. "The issue with PWAs is that manipulating the UI for phishing purposes is possible,” he added.

Phishing templates released

PWAs are not very different from regular applications. They still need to be downloaded and installed, will be shown on the list of installed programs and apps, and will show a shortcut where designated by the user. The only difference is, once the user runs the app, it will open in the browser. That being said, the process of getting people to install a malicious PWA will not be very different from the process of getting them to install malware

However, it could be more convincing than regular programs, and as such could perform better when it comes to data harvesting and credential theft. 

Mr.d0x released PWA phishing templates on GitHub, so that other researchers can play with the tools, as well.

"Users that don't use PWAs often may be more susceptible to this technique as they might be unaware that PWAs should not have a URL bar. Even though Chrome appears to have taken measures against this by periodically showing the real domain in the title bar, I think people's habits of "checking the URL'' will render that measure less useful,” the researcher told BleepingComputer.

Finally, he warned that most security awareness programs are yet to include PWA phishing.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.