As Google prepares to introduce new developer requirements to make the Play Store safer from malware, hackers have turned to Android's WebAPK technology to trick unsuspecting users into installing malicious apps .

Usually, hackers find a way to trick users into installing APK (Android Package Kit) files and sideloading apps when they infect the best of the best Android phones with malware. However, this new trick is even easier to execute because it does not require Android users to sideload malicious apps.

As reported by The Hacker News, security researchers from the Computer Security Incident Response Team (CSIRT KNF) of the Polish Financial Supervisory Agency have found that cybercriminals have been sending bank customers text messages telling them they need to update their mobile banking apps They discovered a new campaign in which cybercriminals begin sending text messages telling bank customers that they need to update their mobile banking apps.

This call to action message also includes a link to the update. However, rather than directing users to the Play Store or other official Android app stores to update the app in question, the link leverages WebAPK technology to install the malicious app on their smartphones.

Similar to side-loading apps, WebAPK allows Android users to install progressive web apps (PWAs) on their smartphone home screens without going through the Play Store.

Google explains in its own documentation that "when a user installs a PWA from Google Chrome and the WebAPK is used, the minting server "mints" (packages) and signs the APK for the PWA."

This process takes time, but once complete, the smartphone browser silently installs the app in question on the user's device without disabling security because a trusted provider such as Google or Samsung has already signed the APK .

In a campaign observed by CSIRT KNF, fake banking apps installed by exploiting WebAPK technology prompt users to enter credentials and two-factor authentication (2FA) tokens, allowing hackers to completely drain their bank accounts.

Unlike other malicious apps, WebAPK apps have different package names and checksums for each device they are installed on, making it particularly difficult for security researchers to track down apps distributed this way.

To avoid falling victim to malware from malicious apps, one must be especially careful when installing new apps or updating existing ones.

First, do not side-load apps and only install apps from official app stores such as the Google Play Store, Amazon App Store, or Samsung Galaxy Store. Sideloading apps may be convenient, but APK files are not subject to the same security checks as apps downloaded from official Android app stores, so there is no way to tell if a file is malicious.

To protect yourself from malicious apps distributed via WebAPK, you should avoid clicking on links from suspicious messages or pop-ups that tell you you need to update a particular app. Fake updates are commonly used by hackers to distribute malware, and many people fall for this because of their emotions.

To protect yourself from malicious apps and malware, you should make sure Google Play Protect is enabled. This free antivirus app ships with most Android phones and scans both new and existing apps for malware. However, for further protection, you should also consider using one of the best Android antivirus apps along with Google Play Protect.

While the above campaign is currently being used to impersonate the Polish bank PKO Bank Polski, other hackers could use the same trick to impersonate banks in the US, UK, and around the world. For this reason, we must remain vigilant and avoid clicking on links in messages from unknown senders trying to get us to install updates.