Cybersecurity researchers have discovered a new campaign that employs malicious JavaScript injection to redirect site visitors on mobile devices to Chinese Adult Content Progressive Web App (PWA) scams.
“The payload itself isn’t new (and yet another adult gambling scam), but the delivery method stands out,” C/Side researcher Himanshu Anand said in an analysis Tuesday.
“Malicious landing pages are full-fledged progressive web apps (PWAs), which are likely aimed at keeping users longer and bypassing basic browser protection.”
This campaign is designed to explicitly exclude desktop users, focusing primarily on mobile users. This activity is described as a client-side attack that uses third-party JavaScript and triggers only on mobile devices.
The use of PWA, a type of application built using web technology that provides a user experience similar to that of native apps built for a particular platform such as Windows, Linux, MacOS, Android, or iOS, is considered an attempt to avoid security protections.
Attacks involve injecting a website with JavaScript code that acts as a loader to trigger a redirect when a site is accessed from a device running on Android, iOS, iPads, etc.
Redirect is designed to direct users to adult content websites or other intermediary redirect page ad apps to display adult content. This page then takes the victim to a fake App Store list for Android and iOS apps in question.
“The use of PWA suggests that attackers are experimenting with more persistent phishing methods,” Anand said. “Mobile-only focus allows us to avoid many detection mechanisms.”
