Various types of attacks by means of communication such as e-mail or text messages have basically become the everyday reality of users of modern electronic devices. Most of them remain quite primitive, and it’s easy to see that the URL links are not from a trusted sender. However, some attacks deserve attention and description – as a warning and to satisfy professional curiosity. What have the hackers prepared this time?
The target of the attack are users of the IKO application that supports bank accounts of PKO Bank Polski customers. It is based on phishing via SMS messages sent to mobile phone numbers. The scam application was prepared on the basis of WebAPK, so it bypasses the Google Play store.
How did the aforementioned scam work? In terms of the steps to follow, it’s quite standard for the user – first, an SMS with a link (from a regular phone number), and after clicking, we are redirected to the application (which is actually a web page). Then the attacked are asked to provide login, password, 2FA code and SMS code. From this perspective, this is a fairly typical hyperlink scam scheme.
It’s more interesting under the lining. The scam was based on WebAPK and thus generates an APK (installer) file for a web application. What gives you the choice of this technology? It allows you to bypass Google Play Store security (e.g. notifications), because it is not used at all in the installation process. Interestingly, the application itself then appears as allegedly downloaded by the store in the installation sources tab. The Polish Financial Supervision Authority has prepared diagram below to illustrate the situation (under the link there is also a detailed technical description of the attack for analysts):
Source: KNF, CERT Orange