What are WebView mobile apps and how do they work?
WebView apps are web apps that behave like mobile apps, but they actually run in a browser environment installed on a user’s device. This is a hidden attack vector, especially for credential theft within WebView banking apps.
A WebView mobile app is often confused with a Progressive Web Application (PWA) however, they are slightly different.
Both are used primarily to simplify cross-platform support. Instead of developing essentially the same functionality on multiple front-end infrastructures, it can now be done on one. They’re also more lightweight to run and update.
Why are banking apps a major target for credentials theft?
Bank apps built as a WebViews are an easy target as they give direct access to money. Once the session is hijacked (or the credentials are stolen), attackers can move fast. The path from the attack to the gold is much shorter than with other types of attacks.
What are the 2 types of credential theft on banking PWAs?
There are 2 ways WebView apps banking credentials theft happens. In both cases, attackers take advantage of the browser-based infrastructure WebViews are built on. Either by targeting real PWA banking apps injecting malicious scripts (= client-side attacks), or creating fake banking apps (= phishing).
Client-side attacks on real WebViews
Since WebView runs in a browser environment on the phone, they are subject to the benefits and the downsides of browser attacks. These browser environments are also called the user’s “client” - hence, client-side attacks.
The foremost type of client-side attacks are web supply chain attacks. This is where 3rd-party tools running in the browser environment (think marketing tools, tracking pixels, ..) are breached. They then change or add to the script functionality to intercept traffic, copy submitted form fields, and all manner of other types of attacks.
All of these client-side attacks are possible on WebViews.
Fake WebViews used in phishing attacks
What’s better than trying to compromise a real banking app? Build a fake one. Here attackers create copies of banking WebViews with minimal functionality. Then, in phishing attacks, they socially engineer users to download those malicious apps. As soon as they log in, attackers have captured the credentials, and often even the 2FA.
Credential theft on banking WebViews examples
OTP Bank (2023)
At the end of 2023, a phishing attack successfully targeted OTP Bank (Hungary). The victims received an SMS with a link to a fake website mimicking OTP Bank. The page urged users to install an app - a WebView in this case.
As soon as the users tried to log in, attackers had successfully stolen their credentials and 2FA codes.
TBC Bank (2023-2024)
TBC Bank in Georgia suffered an attack from late 2023 into 2024. In this attack, users were targeted through voice calls and social media ads. Also here, a landing page with a fake PWA install prompted users to download the malicious app. All the credentials were captured, and used by the attackers.
Read about both the OTP and TBC Bank here.
British Airways (2018)
In the most notorious client-side attack to date, their mobile app was also involved. 429,612 customer transactions were intercepted, most of which had their banking credentials stolen. The BAs app was also a WebVIew, except for a service worker (and installable manifest), which meant it wasn’t technically installable or offline-capable like a full WebView. But for all intents and purposes, it was a WebView.
We wrote the full story on the baways microsite.
