Watch out - downloading that web app could infect your whole device with malware

PWAs can easily be abused to steal sensitive data, expert warns

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Progressive Web Apps (PWA), a type of application delivered via aweb browser, can be hijacked to be used for phishing, creating authentic-looking, convincing data-harvesting platforms, experts have warned.

Researcher mr.d0x, a notable figure in the cybersecurity community, particularly known for creating and sharing tools and techniques that are useful for penetration testing, red teaming, and security research, has described creating a new phishing toolkit that allows people to create PWAs which can display corporate login forms and even come with a fake address bar, showing the authentic URL, and thus looking more trustworthy.

“PWAs integrate with the OS better (i.e. they have their own app icon, can push notifications) and therefore they can lead to higher engagement for websites,” mr.d0x explained. “The issue with PWAs is that manipulating the UI for phishing purposes is possible,” he added.

Phishing templates released

PWAs are not very different from regular applications. They still need to be downloaded and installed, will be shown on the list of installed programs and apps, and will show a shortcut where designated by the user. The only difference is, once the user runs the app, it will open in the browser. That being said, the process of getting people to install a malicious PWA will not be very different from the process of getting them to installmalware.

However, it could be more convincing than regular programs, and as such could perform better when it comes to data harvesting and credential theft.

Mr.d0x released PWA phishing templates on GitHub, so that other researchers can play with the tools, as well.

“Users that don’t use PWAs often may be more susceptible to this technique as they might be unaware that PWAs should not have a URL bar. Even though Chrome appears to have taken measures against this by periodically showing the real domain in the title bar, I think people’s habits of “checking the URL'' will render that measure less useful,” the researcher toldBleepingComputer.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Finally, he warned that most security awareness programs are yet to include PWA phishing.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

VIPRE Security Group says its new endpoint protection tools can stamp out even the latest cybersecurity threats