Cybersecurity researchers have discovered a new complex malicious campaign leveraging Progressive Web Apps (PWAs) to spread a novel way of redirecting mobile users to lavishing “adult content” scam applications.
The compromise involves malicous JavaScript code injected into websites and focuses on mobile browsers on Android, iOS, and iPadOS but does not appear to have been caught so far on desktop browsers.
c/side researchers found that the injected JavaScript works as a loader by redirecting certain users hitting infected mobile sites. This chain of redirections eventually lands the user on what seem to be genuine adult content app store listing pages.
But these are scam PWAs, probably intended to collect user information or simply extract subscriptions to sketchy services.
According to c/side’s Himanshu Anand, the delivery method is the most interesting aspect of this, and the attack payload isn’t actually new, “While the payload itself is nothing new – the delivery method is what brings this piece out of the ordinary.
The malicious landing page is a fully-functioning Progressive Web App (PWA), which presumably is an attempt to keep users in the app longer and bypass simple browser protections.”
The use of PWAs is one of the success factors of this attack. PWAs are web-based applications that are able to provide a native application-like user experience.
The cybercriminals can skirt some of the security routines for classic app installs by creating scam applications as PWAs. What’s more, because the attack is targeted at mobile and mobile only, it bypasses most of the detection frameworks that might have detected any suspicious conduct on the desktop versions of the sites in question.
Security researchers recommend being wary of unexpected redirects, especially while browsing on mobile. They advise to keep operating systems and browsers updated with the latest security patches and to be cautious about installing PWAs from unknown or suspicious websites.
This new threat campaign is indicative of how cybercriminal tactics are constantly shifting and how vital it is to stay vigilant in the face of new web-based menaces.
