Trend Report on Malicious Apps and Distribution Tools
1. Overview
As the number of smartphones equipped with Android OS increases, various apps are being released for user convenience.
Most released apps are created using traditional app development methods, but for those who find app development difficult, various tools are being released to assist in implementing UI and functions.
Sketchware is a mobile application that allows you to create apps on your smartphone without the need for complex coding. It provides users with a simple drag-and-drop interface to create their own apps. However, attackers used took advantage of this interface to to develop malicious apps.
In general, in order to spread malicious apps, threat actors usually induce access to pre-made phishing sites and installation of malicious apps through social engineering techniques such as SMS or social media.
However, due to the enhanced malware detection of anti-virus (AV) products and the strengthening of security awareness among smartphone users, the number of cases that reach actual installation in device is decreasing.
Even if the attacker distributes malicious app through various vectors such as Google Play store, third-party app stores and websites, an alert pops when the victim downloads and installs the app on their device, so this does not reach the stage the attacker wants, which is device infection. Due to this, malicious app distributors induce victims to ignore the alert and install the app by allowing app installations from unknown sources, but this is also not easy to do.
Attackers have been found using WebAPKs, developed based on Progressive Web Apps (PWA), to link to phishing sites or malicious app distribution sites.
The following is an introduction to Sketchware Pro that allows you to easily create apps, and the types of malicious apps created using it. Additionally, details on WebAPK, which Google developed to address the shortcomings of existing PWA apps, and the distribution of malicious apps using it, as well as methods for inducing access to phishing sites, are described.
2. App Development Tool
2.1. Sketchware
Sketchware is a tool developed by a startup company BESOME. It is a smartphone app that allows you to easily develop apps using block-type app functions like Scratch by dragging and dropping them, and create apps in the form of APK that can be installed on Android devices. It is a tool that helps.
Figure 1. Running Sketchware app
2.2. Sketchware Pro
As the Sketchware developers stopped updating Sketchware due to management issues and the development of other services, several developers released Sketchware Pro, which allows users to create apps similar to Sketchware as open source.
Sketchware Pro also states that it can develop and distribute apps as easily and quickly as its predecessor.
Figure 2. Sketchware Pro official website
Figure 3. Running Sketchware Pro
3. App Development Tool
3.1. PWA
PWA is short for Progressive Web App, and is a web app that provides native app functions on mobile devices.
When using PWA, users have the advantage of being able to use it through a web browser without having to install or update the app separately.
The key characteristics of web applications created with PWA are as follows:
1. Installable & Auto Update
2. Offline Support
3. Responsive Design
4. Fast Performance
5. Push Notifications
3.2. WebAPK
WebAPK is a feature developed by Google to address the limitations of Progressive Web Apps (PWAs) that operate based on browsers.
When a user adds a PWA to their home screen using Google Chrome, Chrome generates a native APK form of the PWA. This WebAPK is then integrated into the Android launcher, allowing it to run like an independent app.
The key characteristics of apps created with WebAPK are as follows:
1. Installable as Native APK
2. Browser Independence
3. Low Storage Requirements
3.3 Sketchware APK malicious app
Malicious app creators often exploit the ease of use provided by Sketchware Pro to develop apps that perform simple malicious actions.
The types of malicious apps created using Sketchware Pro are as follows:
1. File Deletion (SDcard, Sys)
2. RAT (Remote Access Trojan)
3. Game System Manipulation
4. Unnecessary Apps
4. Prediction of Malicious App Evolution and Distribution Strategies
This section introduces the potential evolution of malicious apps created using Sketchware Pro and methods for distributing them using WebAPK.
4.1. Malicious Apps Created with Sketchware Pro
Apps created with Sketchware Pro allow even those without app development experience to easily design UIs and implement functions.
While it is challenging to implement advanced malicious behaviors due to the non-traditional app development approach, Sketchware Pro provides a project extraction feature that allows continued development in Android Studio. Therefore, it is expected that these apps could evolve to resemble currently distributed types of malicious apps.
4.2. Distribution Methods Using WebAPK
To date, there have been no reported cases in South Korea of using WebAPK to access phishing sites or distribute malicious apps. However, there have been instances overseas where PWAs and WebAPK were used to target specific banks.
Most smartphone users are reluctant to install apps. Therefore, using WebAPK for attacks involves two steps: first, installing a WebAPK that directs users to a phishing site or malicious app distribution site, and second, installing the actual app that performs malicious activities. This two-step process is cumbersome, which is why it is not commonly used.
However, as the detection of scam messages and malicious apps becomes more sophisticated, distributors may employ various techniques to evade detection. Among these, it is anticipated that they might use WebAPK and social engineering techniques to induce the installation of malicious apps or access to phishing sites.
