Beware of This New Phishing Method on Android and iOS, It Could Empty Your Bank Account

Cybersecurity researchers have discovered a new method to infect smartphones and steal victims' money. This technique targets mobile phones running both Android and iOS systems.

It's also difficult for your smartphone to be infected through an app available on Google Play Store or Apple App Store. Monitoring measures are becoming more effective day by day. Naturally, they're not perfect yet, and some malware still manages to slip through the cracks. Most of the time, these apps pretend to be something harmless or even a legitimate entity, often posing as your bank. It’s a simple way to extract your personal identifiers and, eventually, your money.

Faced with the nearly insurmountable barrier imposed by legitimate app stores, hackers turn to other solutions. The app discovered by ESET Research specializes in using PWA, or Progressive Web Apps. These are web-based apps with functionalities similar to their mobile versions, such as the ability to send notifications. Installing them does not require undergoing a full range of security checks, and scammers are well aware of this.

Here's How These Hackers Steal Your Money From an Android or iOS Smartphone

The general idea is to trick you into installing a fake PWA from your mobile browser. It mimics your bank’s app, and once you enter your credentials, they fall into the hands of scammers who will use them to access your account.

But how do they convince you to download the file? There are three methods in play. First, phone calls where an automated system informs you that your banking app needs to be updated. Then, if you press the required key on your keypad, a fraudulent link will be sent to you via SMS.

This link is, of course, connected to a fake page resembling your bank’s, with a button to download the PWA. Finally, advertisements displayed on social media platforms, currently Facebook and Instagram, encourage you to click the link to retrieve the app. ESET’s research indicates that this phishing method works on both Android and iOS. Therefore, caution is essential.