[HN Gopher] New Phishing Technique Bypasses Security on iOS and ...
___________________________________________________________________
New Phishing Technique Bypasses Security on iOS and Android to
Steal Bank Creds
Author : LinuxBender
Score : 36 points
Date : 2024-08-21 18:42 UTC (4 hours ago)
(HTM) web link (www.securityweek.com)
(TXT) w3m dump (www.securityweek.com)
| Pfhortune wrote:
| PWA as a mechanism for delivering phishing apps is an interesting
| avenue. I would have thought the hoops Android/iOS make you jump
| through to add a PWA would be enough to make people question
| whether they are doing the right thing. The fact that folks did
| not find it odd that they had to do a particular dance to install
| the "app" from the "app store" is just... tragic.
|
| I do not know what education is like where this campaign seems to
| have taken place (Czech Republic), but really basic tech literacy
| should be taught in schools. I know it's tricky to teach someone
| to be tech literate with a moving target like evolving tech, but
| we should be _trying_.
| szundi wrote:
| This so-called basic tech literacy is obsolete in some years.
| We just don't get it how can people be so disinterested in how
| things work.
| mxuribe wrote:
| Tech literacy even in this day and age isn't equally
| distributed everywhere.
|
| Also, i wonder if this is a generational thing...Because a
| couple decades ago, there was a generation (or at least a
| percentage of the generation) that learned through pain that
| installing unknown apps on a desktop became a risky potentially
| harmful thing to do. Then the Web came along and that
| generation being more savvy on the desktop side had to learn
| that websites (even without "installing something on the
| desktop) also come with risks and problems...and now we have a
| likely younger generation who never lived through the dangers
| of installing stuff on a device....they've known web stuff and
| app stores...and have grown to somewhat trust app stores...so
| they lack the understanding of risks associated with
| "installing stuff". I have only personal data to substantiate
| my theory...so i'm just talking out of my pocket. :-)
| rollcat wrote:
| > basic tech literacy should be taught in schools
|
| You're blaming the victim.
|
| Technology is too complex and continues changing too fast. I'm
| a software engineer and I couldn't tell you what half the
| processes on my machine are supposed to be doing, and even if I
| did that wouldn't help spot even a trivial piece of malware.
|
| Last time I attended school, smartphones didn't even exist yet.
| That's fair; sometimes there's a fundamental shift in how we do
| things. But meanwhile Google alone launched and killed how many
| chat/video call apps? Unfortunately you have to keep installing
| these every now and then, because that's somehow still an
| unsolved problem.
|
| Security _is_ simplicity, if a system is complex then it 's
| easy to confuse the user into doing the insecure thing.
| ignoramous wrote:
| > _would have thought the hoops Android /iOS make you jump
| through to add a PWA would be enough to make people question_
|
| The og article by ESET Security [0] specifically talks about
| (Android/Chrome-supported) _WebAPK_ s essentially bypassing the
| usual "untrusted sources" warning, and that even the _App Info_
| screen shows _Play Store_ as the origin source for all
| installed _WebAPK_ s.
|
| > _tricky to teach someone to be tech literate with a moving
| target_
|
| Not fool proof, but given the IoCs, think it might be best to
| block all but top 50k domains by default.
|
| Or, inform users if a domain they've never previously visited
| asks them to enter anything via clipboard or keyboard.
|
| [0] https://www.welivesecurity.com/en/eset-research/be-
| careful-w... / https://archive.md/29SKK (hat-tip
| u/ChrisArchitect)
| ChrisArchitect wrote:
| Source: https://www.welivesecurity.com/en/eset-research/be-
| careful-w...
| coolspot wrote:
| That is why we can't have nice things. Apple will surely point to
| this situation as a justification for the AppStore.
| CatWChainsaw wrote:
| This reinforces my decision to never do my banking on my phone.
| isodev wrote:
| Why is this a "new" technique? The "this looks like your
| bank/legitimate app/website" scheme has been around for a very
| long time.
| lxgr wrote:
| "But I'm not on a website, I'm in my banks app! I know because
| I got there by clicking on my bank's icon on my home screen!"
| lxgr wrote:
| > WebAPKs, which can be considered upgraded PWAs, appear like
| regular native apps and their installation does not trigger any
| warnings on Android devices, even if the user has not allowed
| installation from third-party sources.
|
| This seems to be a mischaracterization/misunderstanding of what
| WebAPKs are. As far as I understand, they're merely an
| implementation detail of how Chrome on Android makes PWAs feel
| "more native":
| https://web.dev/articles/webapks#frequently_asked_questions
|
| In other words, any installed PWA gets a corresponding WebAPK,
| and there's no actual vetting by the Play Store involved.
|
| I don't really understand the point of that, and there seem to be
| significant security downsides (via user confusion, as
| demonstrated here), but I don't know the details, and there's
| probably a technical reason why Google did it this way.
___________________________________________________________________
(page generated 2024-08-21 23:01 UTC)