A new attack method of accessing people’s banking accounts has emerged overseas and could make its way to the US. This method is called PWA or Progressive Web Application.  PWAs are disguised as legitimate banking apps but allows the attacker to steal usernames and passwords.

 Victims would be called with an alert that their banking app was out of date and requested input as to which banking app they used. Once selected, an SMS text message was sent to the victim instructing them to click the link to install the latest update, but the PWA was installed instead. There would be no browser warning of “installing unknown apps” displayed to the user since the SMS delivered a WebAPK download directly to the device.

 The best way to prevent these types of attacks is to only install apps from trusted sources, such as the Google Play Store or the iOS App Store.  Never click or tap a link from someone you do not know or from a number you do not recognize.