Specialists of C/Side have uncovered a new malicious campaign utilizing JavaScript Injection to covertly redirect mobile users to fake sites containing pornographic content disguised as progressive web applications (PWAs). These fake resources mimic the functionality of native mobile applications and are used as a lure to disseminate fraudulent content.
The attack specifically targets mobile devices, including smartphones and tablets running Android, iOS, and iPados. When accessed from a desktop, the harmful activity remains dormant. This strategy enables the attackers to circumvent system analysis and filtering mechanisms that are predominantly tailored for desktop browsers.
The attack involves injecting malicious JavaScript code into third-party scripts on legitimate websites. Upon visiting an infected site from a mobile device, the code triggers a redirection to an intermediary page that appears to prompt the user to install a mobile application for viewing adult content. Subsequently, the victim is directed to a fake application store offering a bogus Android or iOS application, which is actually a malicious PWA service.
Utilizing the PWA format enables cybercriminals to achieve multiple objectives, such as enhancing the interface’s credibility, prolonging the user’s interaction with the deceptive resource, and evading browser-based restrictions and security measures. Moreover, PWAs can be cached and perceived as “installed” applications, further enhancing the camouflage effect.
According to C/Side analysts, the use of PWAs in such attacks suggests a shift towards more sophisticated phishing methods as attackers seek more reliable ways to collect personal data and coerce users into installing malware. The emphasis on the mobile audience enables attackers to bypass desktop-focused detection mechanisms and reduces the likelihood of detection during automated site scans.
This campaign’s distinct focus on mobile users allows attackers to exploit popular websites with significant mobile traffic by embedding malicious code within third-party scripts, rendering detection challenging. While the current objective is to promote fake adult applications and boost the installation of malicious software, the underlying potential extends to a broader range of malicious activities, including espionage and banking phishing.