Protecting Yourself from Malicious Web Apps: What You Need to Know

2,317 views

Progressive Web Apps (PWAs) are a great way to use apps through your browser without having to download them. Using common web development techniques, it…

Panda SecuritySep 20, 20243 min read

Progressive Web Apps (PWAs) are a great way to use apps through your browser without having to download them. Using common web development techniques, it is possible to create an app that works on Android and iPhone – and which doesn’t have to be downloaded from an official app store. For that reason want to talk about how you can protect yourself from malicious web apps.

However, recent research has found that some hackers are exploiting weaknesses in how iOS and Android handle these apps. These flaws allow malicious PWAs to bypass security measures. Google and Apple enforce strict rules for apps downloaded through their app stores, but these security measures don’t fully cover web-based apps. As a result, hackers have developed techniques that allow PWAs to gain access to your phone’s data and functions without proper authorization.

How Do Malicious Progressive Web Apps Work?

PWAs are designed to act like native apps, but run over the internet, a bit like website functionality built into an app. This means they don’t need to be installed from the app store, so they aren’t subjected to proper security checks.

Hackers can create a PWA that looks legitimate. But is designed to exploit loopholes in how your phone manages web-based applications. A malicious PWA can be written to access personal data or even download and install additional malware onto your device.

Please note that not all PWAs are dangerous. But it is important to be aware of the differences between apps from the store and web-based alternatives and the potential risks associated with PWAs.

How does the trick work?

To access your most valuable, most sensitive data, hackers must trick their victims into installing PWAs that look official. Security researchers have discovered a scam where victims are being tricked into installing PWAs that look like official banking apps.

Hackers are using phishing websites and banner ads that look exactly like the Google Play store to fool users into downloading apps from unofficial sources. Once installed, these PWAs are then stealing login details for the victim’s bank accounts, giving criminals access to bank account contents.

How to Stay Safe

PWAs are not inherently bad, but there are risks you need to be aware of. Here are some tips for staying safe when using PWAs:

Stick to Trusted Sources

Only use PWAs from trusted websites and companies. Avoid unknown sites and suspicious banner ads offering PWAs, especially those that ask for too many permissions during installation.

Regularly Update Your Phone

Keep your phone’s operating system and browser up-to-date. Both Google and Apple regularly release updates that patch security vulnerabilities, including those exploited by malicious PWAs.

Limit Permissions

Pay attention when a web app asks for excessive permissions, like access to your contacts, location, or camera. Does your banking app really need access to the address book? If you’re unsure, deny permission.

Use a Mobile Malware Scanning App

Consider installing a reputable security app like Panda Dome which can scan PWAs to detect and fix security issues and malware infections.

Conclusion

PWAs are a useful alternative to regular apps. However, as hackers find new ways to exploit these systems, it’s crucial to be aware of the risks involved. The tips we have outlined here will allow you to enjoy the convenience of PWAs without putting your device – and personal data – at risk.