Given today’s tech-savvy world, mobile banking offers unmatched convenience and accessibility, but it also comes with a number of risks. One of the most serious threats can be fraudulent banking apps that are specifically designed to steal your sensitive information. Cybercriminals are increasingly using Progressive Web Applications (PWAs) to impersonate legitimate banking apps, making it difficult for users to distinguish between what is real and fake. PWAs are web-based applications that provide a native app-like experience across platforms, making them a prime target for misuse by cybercriminals.
How Cybercriminals Are Exploiting PWAs
Bypassing App Store Security: PWAs can be installed directly from a browser, bypassing the stringent security checks of official app stores like Google Play or Apple’s App Store. This allows malicious apps to reach users without detection.
Impersonating Legitimate Apps: Cybercriminals create PWAs that closely resemble authentic banking apps, complete with official logos and realistic user interfaces. Once installed, these fake apps are almost indistinguishable from the real ones, making them harder to spot.
Evading Detection: Unlike traditional apps, PWAs don’t trigger common installation prompts, such as “install from unknown sources,” reducing user suspicion. These apps are typically less likely to be flagged by security software.
Dynamic Updates: Attackers can modify PWAs after they’re installed, changing their behaviour or appearance without user interaction. This capability allows cybercriminals to refine their phishing tactics over time.
Why This is Dangerous?
Broader Attack Reach: PWAs work across multiple devices and platforms, enabling attackers to target a wide audience with just a single campaign.
Stealthy Access to Device Features: PWAs can access sensitive device features like geolocation, camera, and microphone via browser APIs without triggering mobile OS permission prompts, making it easier for attackers to gather personal information.
Harder to Detect: The ability of PWAs to mimic native apps while avoiding traditional security warnings makes them particularly dangerous for both users and security systems.
6 Tips to Identify a Fraudulent Banking App
1. Download Only from Official App Stores The best way to ensure you’re downloading a legitimate banking app is by using official app stores like Google Play or the Apple App Store.
These platforms implement security checks to prevent the distribution of malicious apps. Avoid downloading apps from third-party websites or through links sent via email or SMS, as these are common methods used by cybercriminals to spread fake apps. Always verify the developer’s name to ensure it matches the bank’s official name or its authorised mobile app partner.
2. Be Cautious of Installation Prompts from Unsolicited Messages Cybercriminals often use phishing tactics to send unsolicited messages urging you to install or update your banking app. These messages may claim your current app is outdated and prompt you to download a “secure” version via a provided link. Such links often lead to fraudulent websites hosting fake apps. Never install apps through links in unsolicited messages. Instead, visit your bank’s official website to find the correct app store link.
3. Check App Permissions Carefully Legitimate banking apps typically request access only to essential features like your camera for check deposits or your location to find nearby cashpoints. If an app requests access to unrelated features like contacts, text messages, or storage without an apparent reason, it could be a sign of a malicious app. Review app permissions before installation. If something seems unnecessary or suspicious, don’t proceed.
4. Analyse User Reviews and Ratings User reviews and ratings can provide valuable insights into the legitimacy of a banking app. While some reviews may be manipulated, they can still reveal clues about potential issues. Look for complaints about suspicious activity, such as unexpected pop-ups or requests for full passwords. Check the app’s rating and read recent reviews for any red flags.
5. Inspect the App’s Interface and Branding Fraudulent apps may closely mimic the design of legitimate ones, but subtle differences often exist in logos, colour schemes, or design elements. Legitimate banking apps are professionally designed with consistent branding. If an app’s interface feels unpolished or contains grammatical errors, it is likely a fake. Compare the app’s design with screenshots on the bank’s official website or with the legitimate app if you’ve seen it before.
6. Monitor App Behaviour After Installation Once an app is installed, be vigilant for any unusual behaviour. Fake apps may prompt you to enter more personal information than usual, redirect you to strange websites, or generate unexpected pop-ups. Legitimate banking apps protect your information and won’t request sensitive data without a clear, legitimate reason. If you notice any strange behaviour, uninstall the app immediately and report the issue to your bank. Be sure to monitor your account for any unauthorised transactions.
Stay Informed and Vigilant
The misuse of PWAs for phishing is an emerging and potentially widespread threat. As cybercriminal tactics evolve, it’s crucial to stay informed about the latest risks and be cautious when downloading and installing apps.
By following these six strategies, you can significantly reduce the risk of falling victim to a fraudulent banking app. For more tips on staying safe online, visit reputable cyber security resources like the National Cyber Security Centre (NCSC) or the Cyber security and Infrastructure Security Agency (CISA).