As Google is preparing to implement new developer requirements to make the Play Store safer from malware, hackers have turned to using Android’s WebAPK technology to trick unsuspecting users into installing malicious apps.
Normally when infecting one of the best Android phones with malware, hackers will find a way to get them to sideload an app by tricking them into installing an APK (Android Package Kit) file. However, this new technique is even simpler to pull off as Android users don’t need to sideload the malicious app.
As reported by The Hacker News, security researchers from the Polish Financial Supervision Authority’s Computer Security Incident Response Team (CSIRT KNF) discovered a new campaign where cybercriminals have begun sending out text messages to banking customers telling them they need to update their mobile banking app.
Alongside this call to action, the messages also contain a link that leads to the update. However, instead of taking them to the Play Store or another official Android app store to update the app in question, the link leverages WebAPK technology to install a malicious app on their smartphone.
Abusing Android’s WebAPK technology
Just like with sideloading apps, WebAPK allows Android users to install progressive web apps (PWAs) on their smartphone’s home screen without having to go through the Play Store.
In its own documentation, Google explains that “when a user installs a PWA from Google Chrome and a WebAPK is used, the minting server “mints” (packages” and signs an APK for the PWA.”
While this process takes some time, once finished, a smartphone’s browser installs the app in question silently on a user’s device without disabling security due to the fact that a trusted provider like Google or Samsung has already signed the APK.
In the campaign observed by CSIRT KNF, the fake banking app installed by abusing WebAPK technology urges users to enter their credentials as well as their two-factor authentication (2FA) tokens which allows hackers to completely drain their bank accounts.
Unlike with other malicious apps, the ones that are distributed this way are particularly hard for security researchers to track since WebAPK apps have a different package name and checksum on each device they’re installed onto.
How to stay safe from malicious Android apps
In order to avoid falling victim to malware from malicious apps, you need to be especially careful when installing new apps or updating your existing ones.
For starters, you shouldn’t sideload any apps and should instead only install apps from official app stores like the Google Play Store, Amazon App Store and the Samsung Galaxy Store. Sideloading apps may be convenient but you have no idea whether or not an APK file is malicious as they don’t go through the same security checks that apps downloaded from official Android app stores do.
As for protecting yourself from malicious apps distributed using WebAPK, you should avoid clicking on any links from suspicious messages or pop-ups telling you that you need to update a particular app. Fake updates are often used by hackers to distribute malware and many people fall for this when they let their emotions get the best of them.
To stay safe from malicious apps and malware, you should ensure that Google Play Protect is enabled as this free antivirus app that ships with most Android phones scans both any new apps as well as your existing apps for malware. For additional protection though, you should also consider using one of the best Android antivirus apps alongside Google Play Protect.
While the campaign described above is currently being used to impersonate the Polish bank PKO Bank Polski, other hackers could use the same technique to do so with banks in the U.S., U.K. and around the world. This is why you need to remain vigilant and avoid clicking on any links in messages from unknown senders trying to trick you into installing an update.