Security researchers have identified a new phishing technique using progressive web applications (PWAs) to target customers of banks in Eastern Europe.
PWAs are essentially web sites that resemble applications that can be installed without notifying the user that they are third party apps.
Researchers at ESET say crooks are targeting iOS and Android users with PWAs masquerading as banking apps.
The phishers use automated voice calls, SMS messages, and social media malvertising to prompt iOS instruct victims to add a PWA to their home-screens, while on Android the PWA is installed after confirming custom pop-ups in the browser.
"At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic," says an ESET blog.
ESET says that most of the phishing apps it has identified have targeted clients of Czech banks, but one was aimed at a Hungarian bank and another a Georgian bank.
There also appears to be two different groups responsible for the apps, with ESET warning: "We expect more copycat applications to be created and distributed, since after installation it is difficult to separate the legitimate apps from the phishing ones."