People are being tricked into installing PWAs. Apps that will steal their passwords.
Understanding PWAs
Progressive Web Apps (PWAs) are designed to look and function like any other app you might download from the Apple App Store or Google Play Store. However, they differ in their construction. Essentially, a PWA is a website that has been packaged to behave like a normal app. Many people unknowingly have PWAs installed on their devices.
Popular Examples of PWAs
- Starbucks
- Uber
- Spotify
The Potential Risk of PWAs
While PWAs are legitimate and widely used by reputable companies, their structure allows them to be exploited by cybercriminals.
How Hackers Exploit PWAs
A common tactic used by hackers involves sending a text message or email that appears to be from your bank. The message claims that your current banking app is obsolete and prompts you to install a new version from a provided link. Trusting that Apple and Google rigorously screen apps in their stores for malware, you may feel safe and proceed to download and install the app.
Once installed, the app will ask for your login credentials. After entering your information, the app may display a message such as “All servers are busy right now, please try later.” But you have just unknowingly sent your banking credentials to a hacker.
How PWAs Bypass Phone Security
Apple and Android devices have security measures that restrict where apps can be installed from. While they both allow third-party apps, explicit permission must be given.
However, because PWAs are essentially websites disguised as apps, your phone may not recognize them as traditional apps, allowing them to be installed from any source. The “App Store” you visited could be entirely fake, along with the app itself, making it easy for hackers to steal your information.
Protecting Yourself
- Be Skeptical of Installation Requests: Never trust a text or email asking you to install anything, even if it appears legitimate. If you believe the message might be authentic, manually check your phone’s app store for updates.
- Enable 2-Factor Authentication (2FA): Also known as Multi-Factor Authentication (MFA), 2FA adds an additional layer of security by requiring you to verify your identity through another method, typically via text message. More information on 2FA can be found here.
These precautions offer substantial protection, but remain vigilant. Even 2FA can be bypassed if you’re not careful. Learn more about potential 2FA vulnerabilities here.
In Conclusion
Progressive Web Apps (PWAs) are a legitimate way for companies to distribute apps, and you may already have several on your device. However, the same structure that makes them convenient can also be exploited by hackers. To protect yourself, be cautious about installing apps from unsolicited messages and always use 2FA on sensitive accounts
As always, if you have a question about this or any other post, please leave a comment below, or you can email me at larry@thetechboomer.com.