PhishinWebView: Analysis of Anti-Phishing Entities in Mobile Apps with WebView Targeted Phishing

Despite the relentless efforts on developing anti-phishing techniques, phishing attacks continue to proliferate, often incorporating evasion techniques to bypass detection. While recent studies have continuously enhanced our understanding of their evasion techniques in desktop environments, few studies have been conducted to explore how the phishing attack is being handled in mobile environments, specifically WebView. In this study, we systematically evaluate the blocking processes of anti-phishing entities in individual apps in the real world by designing the phishing attack tailored to WebView. Specifically, we select eight well-known apps using WebView, and report 80 typical phishing sites (without evasion techniques) and 130 user-agent-specific phishing sites (accessible exclusively via each app's WebView). For scalable analysis, we develop an autonomous evaluation framework and investigate accessibility of both apps and Safe Browsing entities. As a result, we find that user-agent-specific (UA-specific) phishing sites successfully evade blocking across all of the eight Android apps. We also investigate accessing strategies of anti-phishing crawlers of both the apps and Safe Browsing entities; and find that only two apps' crawlers can access UA-specific phishing sites without any subsequent actions such as blocking the link. Based on our experiment results, we present security recommendations to take proactive phishing cautions using link preview bots. To the best of our knowledge, this is the first study that explores how the WebView environments handle phishing attacks and disclose their limitation in the real world.