How Scammers Are Using Fake Apps to Steal Your Banking Information — And How You Can Protect Yourself

Imagine this: You’re scrolling through photos on Instagram and see an ad from your bank saying that all customers need to update their mobile banking app. The ad has the Google Play and Apple App Store logos. The message looks legit, and who doesn’t want to make sure their banking app is secure? You click the link, you’re taken to the “Google Play Store” and a few minutes later, you’ve "updated" your app. When you open the app, it looks good! You enter your login information but instead of upgrading your security, you’ve handed over your banking details to a scammer. This might sound like a scene from a crime show, but it’s a real and growing threat that businesses and consumers alike need to be aware of.

Phishing scams are getting more sophisticated, and cybercriminals are now using Progressive Web Applications (PWAs) and WebAPKs to trick unsuspecting users into installing fake apps that look exactly like the real deal. These malicious apps are designed to steal your credentials, often without raising any red flags. In this blog, we’ll break down how these scams work and what you can do to protect yourself and your business.

What Are PWAs and WebAPKs?

PWAs and WebAPKs are essentially websites that act like regular apps on your phone or computer. You might think of them as super-powered shortcuts – there’s an icon on your home screen but instead of opening a browser window and displaying a website, PWAs and WebAPKs look and feel like a regular app. 

They can even run when the device is offline, send notifications and update themselves – just like official apps.

PWAs can be identified by the small browser logo superimposed on their launch icon.  WebAPKs could be considered as enhanced versions of PWAs packaged specifically for Android with deeper integration making them even more app-like – for example icons lack the browser logo and therefore look even more like regular apps. PWAs and WebAPKs are not all bad - they are powerful tools when used legitimately.

But here’s the thing – both can be installed without needing to go through Google Play or the Apple App Store. Instead, they can be installed directly from a web browser. And herein lies the problem - Scammers are using these tools to trick users into installing fake banking apps that steal personal information.

How Do PWAs and WebAPKs Bypass Security?

Getting your apps from an official app store is like buying a watch from a reputable jeweler compared to buying one from a shady street vendor down some dark alley. At the jeweler, you have some basis for confidence that the watch is authentic. On the street, it’s likely a cheap knock-off which will not work for long. In a similar way, when you install a PWA or WebAPK, you are at risk of being scammed. Bypassing Google Play and the App store means you bypass security checks. These “apps” can be installed directly from a phishing website, often disguised as an update page for your banking app. In some cases the link sends you to what appears to be the app store where you initiate the download. It’s very tricky and convincing!

Real-World Case Study: Phishing in Czechia

In a phishing campaign uncovered by ESET researchers, scammers targeted banking users in Czechia, Hungary, and Georgia. They sent phishing links via SMS and social media ads, leading victims to fake app update pages for their banks. These phishing pages looked identical to Google Play Store and Apple App Store listings. Once the victim installed the fake app, it prompted them to input their banking credentials, which were sent directly to the scammers.

The fact that these apps mimicked legitimate banking apps so closely made it nearly impossible for users to tell they were being scammed.

Why These Scams Are So Convincing

PWAs and WebAPKs are convincing for several reasons:

• Lookalike apps: The fake apps are almost indistinguishable from the real thing.
• Cross-platform targeting: These scams work on both iOS and Android devices.
• No security warnings: Because they bypass app store checks, victims don’t receive warnings about unknown apps.
• Social engineering tactics: Scammers use techniques like SMS phishing and social media ads to lure victims, making the entire process feel legitimate.

Best Practices to Protect Yourself and Your Business from Phishing

While these scams are sophisticated, there are steps you can take to avoid falling victim:

1. Verify app sources: Always install apps from official stores like Google Play or the Apple Store. If a link asks you to update or download an app from anywhere else, be suspicious.
2. Avoid third-party links: Be cautious of any app links sent via SMS, social media, or even automated phone calls. Scammers often use these methods to lure victims.
3. Use Multi-Factor Authentication (MFA): Enable MFA with an authenticator app for all your banking and sensitive apps. Even if scammers get your password, they’ll be stopped by the second layer of security.
4. Be Cautious of Pop-ups: iOS and Android users should be cautious of pop-ups asking to install or update apps outside of the official app stores.
5. Check app permissions: If an app is asking for permissions it doesn’t need, like access to your contacts or camera, it’s a red flag.
6. Use mobile security software: Make sure you have up-to-date security software on your device that can detect and block malicious behavior.
7. Keep an eye on banking updates: If your bank asks you to update your app, verify this request through official channels. Call your bank or check their website rather than clicking on a link in an SMS or email.

Stay Ahead of the Scammers

Cybercriminals are constantly evolving their methods, and the use of PWAs and WebAPKs in phishing campaigns is just the latest trick in their book. These scams are particularly dangerous because they look so convincing and bypass many of the usual security warnings. By staying informed and implementing best practices like MFA and verifying app sources, you can protect yourself and your business from these sophisticated attacks.

Don’t wait until it’s too late—take action today to secure your mobile devices and educate your team about the risks. Scammers aren’t going to stop evolving, so your security measures shouldn’t either.