What are Progressive Web Apps?
PWAs are like regular apps but run in a browser. You can download and install them from the address bar of most websites you visit. Once installed, an icon is added to the home screen, but rather than launching a separate app, it will open in the browser with the standard controls hidden.
PWAs are often light and load faster than the full website - it takes fewer clicks to open the app from your screen or taskbar than it does to open a browser window and type in the address. They are also common. Blogging sites, dating apps, maps and ride-sharing apps, news portals, e-commerce sites, music apps and games use them to allow for easy browsing and to enhance the user experience. Some of these apps allow push notifications and can work offline. PWAs of file-sharing websites can also sync files on your device and server while working in the background.
While progressive web apps have advantages for the user and the developer, they are also a handy tool for phishing scammers.
Malicious PWAs
Attackers can use the progressive web app mechanism to issue prompt screens, asking people to log into an account. Because the web browser’s standard controls may be invisible, and the address bar may be fake, it can be hard for the user to tell if this prompt is legitimate.
If you try to login at this point, it won’t take you anywhere and the credentials you entered will be captured by the phishing kit. The attacker could then use them to log into your real account and even try your password on other websites you use.
Watch out for malicious PWAs
To avoid falling for malicious PWAs, only download software from websites you trust and frequently visit.
Just like regular apps, PWAs may request permissions, and some of them may seem unreasonable. If a PWA wants access to your microphone or your photo gallery, for example, you can always choose not to proceed.