Last Updated: March 2026
Imagine this: You’re scrolling through photos on Instagram and see an ad from your bank saying that all customers need to update their mobile banking app. The ad has the Google Play and Apple App Store logos. The message looks legit, and who doesn’t want to make sure their banking app is secure? You click the link, you’re taken to the “Google Play Store” and a few minutes later, you’ve "updated" your app. When you open the app, it looks good! You enter your login information but instead of upgrading your security, you’ve handed over your banking details to a scammer. This might sound like a scene from a crime show, but it’s a real and growing threat that businesses and consumers alike need to be aware of.
Phishing scams are getting more sophisticated, and cybercriminals are now using Progressive Web Applications (PWAs) and WebAPKs to trick unsuspecting users into installing fake apps that look exactly like the real deal. These malicious apps are designed to steal your credentials, often without raising any red flags. In this blog, we’ll break down how these scams work and what you can do to protect yourself and your business.
What Are PWAs and WebAPKs?
PWAs and WebAPKs are essentially websites that act like regular apps on your phone or computer. You might think of them as super-powered shortcuts – there’s an icon on your home screen but instead of opening a browser window and displaying a website, PWAs and WebAPKs look and feel like a regular app.
They can even run when the device is offline, send notifications and update themselves – just like official apps.
PWAs can be identified by the small browser logo superimposed on their launch icon. WebAPKs could be considered as enhanced versions of PWAs packaged specifically for Android with deeper integration making them even more app-like – for example icons lack the browser logo and therefore look even more like regular apps. PWAs and WebAPKs are not all bad - they are powerful tools when used legitimately.
But here’s the thing – both can be installed without needing to go through Google Play or the Apple App Store. Instead, they can be installed directly from a web browser. And herein lies the problem - Scammers are using these tools to trick users into installing fake banking apps that steal personal information.
How Do PWAs and WebAPKs Bypass Security?
Getting your apps from an official app store is like buying a watch from a reputable jeweler compared to buying one from a shady street vendor down some dark alley. At the jeweler, you have some basis for confidence that the watch is authentic. On the street, it’s likely a cheap knock-off which will not work for long. In a similar way, when you install a PWA or WebAPK, you are at risk of being scammed. Bypassing Google Play and the App store means you bypass security checks. These “apps” can be installed directly from a phishing website, often disguised as an update page for your banking app. In some cases the link sends you to what appears to be the app store where you initiate the download. It’s very tricky and convincing!
Real-World Case Study: Phishing in Czechia
In a phishing campaign uncovered by ESET researchers, scammers targeted banking users in Czechia, Hungary, and Georgia. They sent phishing links via SMS and social media ads, leading victims to fake app update pages for their banks. These phishing pages looked identical to Google Play Store and Apple App Store listings. Once the victim installed the fake app, it prompted them to input their banking credentials, which were sent directly to the scammers.
The fact that these apps mimicked legitimate banking apps so closely made it nearly impossible for users to tell they were being scammed.
2026 Update: The Threat Gets Closer to Home
If the Czechia campaign showed us what PWA phishing could do, a new wave of attacks uncovered by Malwarebytes researchers in early 2026 shows just how much further this threat has evolved — and how much closer to home it has come.
In this campaign, victims were directed to a fake Google Account security page through phishing emails, SMS messages, and other social engineering. Once there, they were presented with an urgent warning that their Google account had been compromised and prompted to run a "quick security check.” The page — hosted at a domain designed to look like an official Google address — was virtually indistinguishable from the real thing.
Source: Malwarebytes
The fake security check walked victims through a four-step process that ended with installing a PWA labelled as a security tool. What happened next was more alarming than anything seen before in this type of attack. The fake app didn't just steal login credentials. It also:
- Attempted to intercept one-time passcodes (OTPs) — the codes used to verify your identity (multi-factor authentication)
- Harvested device information, GPS location, and contacts
- Used the victim's own browser as a relay — quietly routing the attacker's traffic through the victim's device to scan internal networks and hide their tracks
- Continued running in the background even after the browser tab was closed, thanks to a feature called a service worker
Critically, this is not just a mobile threat. The attack works across Windows and Mac computers as well as smartphones — targeting anyone using a Chromium-based browser such as Google Chrome or Microsoft Edge, on any device. Desktop users are just as exposed as mobile users.
Perhaps most unsettling: unlike earlier PWA attacks that focused on banking apps, this campaign impersonated Google itself — one of the most trusted names in technology. If a fake Google security page can fool users, almost anything can.
The full Malwarebytes report provides a detailed technical breakdown of this attack, along with step-by-step removal instructions for all affected platforms — including Windows, macOS, Android, and iOS.
Why These Scams Are So Convincing
PWAs and WebAPKs are convincing for several reasons:
- Lookalike apps: The fake apps are almost indistinguishable from the real thing.
- Cross-platform targeting: These scams work on both iOS and Android devices.
- No security warnings: Because they bypass app store checks, victims don’t receive warnings about unknown apps.
- Social engineering tactics: Scammers use techniques like SMS phishing and social media ads to lure victims, making the entire process feel legitimate.
Best Practices to Protect Yourself and Your Business from Fake Apps and False Updates
While these scams are sophisticated, there are steps you can take to avoid falling victim:
- Verify app sources: Always install apps from official stores like Google Play or the Apple Store. If a link asks you to update or download an app from anywhere else, be suspicious.
- Avoid third-party links: Be cautious of any app links sent via SMS, social media, or even automated phone calls. Scammers often use these methods to lure victims.
Use Multi-Factor Authentication (MFA) — but choose it wisely: Enabling MFA remains one of the most important steps you can take to protect your accounts. Authenticator apps are generally more secure than SMS-based codes, and that advice holds for most threats. However, it is worth understanding that the most advanced versions of these attacks — particularly if a malicious companion app has been installed on your device — can read codes directly from your screen or notifications, regardless of how they were generated. MFA is still a critical layer of defence, but it is not a guaranteed safeguard if malware is already present on your device. This is why preventing installation in the first place is so important.
- Be Cautious of Pop-ups: iOS and Android users should be cautious of pop-ups asking to install or update apps outside of the official app stores.
- Check app permissions: If an app is asking for permissions it doesn’t need, like access to your contacts or camera, it’s a red flag.
- Use mobile security software: Make sure you have up-to-date security software on your device that can detect and block malicious behavior.
- Keep an eye on banking updates: If your bank asks you to update your app, verify this request through official channels. Call your bank or check their website rather than clicking on a link in an SMS or email.
- Closing the tab isn't enough: Unlike a regular website, a malicious PWA can keep running in the background even after you close your browser. If you think you may have accidentally installed one, don't just close the tab. You will need to remove the app and clear its site data from your browser — the steps vary depending on your device and browser. Full removal instructions for Windows, macOS, Android, and iOS are available in the Malwarebytes report. When in doubt, contact your IT provider.
Stay Ahead of the Scammers
Cybercriminals are constantly evolving their methods, and PWA-based phishing is no longer just an emerging threat — it is an active and growing one. The approach has evolved into attacks impersonating some of the world's most trusted platforms, including mechanisms which attempt to bypass two-factor authentication and persist on your device long after you think you've closed the app. And it's not just a mobile problem — these attacks work just as effectively on Windows and Mac computers. The good news is that awareness is your strongest first line of defense. By staying informed, using strong authentication methods, and verifying anything that asks you to install or update an app, you can significantly reduce your risk.
Don't wait until it's too late — the most effective defense against these attacks is awareness. Educate yourself and your team to recognize the signs, question unexpected security alerts, and verify before you install anything.
Ready to build a stronger defense?
Awareness is the first line of protection against attacks like these — but it needs to be built into your organization deliberately, not left to chance. allCare IT offers Cyber Awareness Training to help your team recognize and respond to the latest threats, and Cybersecurity Assessments to identify where your organization is exposed before attackers do. Get in touch today to find out how we can help you build security from the ground up.