Full Report
1. Overview As the number of smartphones equipped with Android OS increases, various apps are being released for user convenience. Most released apps are created using traditional app development methods, but for those who find app development difficult, various tools are being released to assist in implementing UI and functions. Sketchware is a mobile application […] 게시물 Trend Report on Malicious Apps and Distribution Tools이 ASEC에 처음 등장했습니다.
Analysis Summary
# Tool/Technique: Sketchware / Sketchware Pro
## Overview
Sketchware (and its open-source successor, Sketchware Pro) is a mobile application development tool that allows users to create Android applications using a simplified drag-and-drop, block-type function similar to Scratch, without complex coding. Attackers exploit this ease of use to develop and deploy various types of malicious Android applications.
## Technical Details
- Type: App Development Tool (Used for Malware Creation)
- Platform: Android
- Capabilities: Allows creation of APK files, provides project extraction for further development in environments like Android Studio, facilitates implementation of basic UI and functions.
- First Seen: Not explicitly detailed, but its use in malicious app development is the focus of the context.
## MITRE ATT&CK Mapping
*Note: Since Sketchware is a tool for creating malware, the mappings below refer to the **malicious capabilities** often implemented using this tool.*
- **TA0005 - Defense Evasion**
- T1204.002 - User Execution: Malicious File
- (Implied: Bypassing security alerts by delivering seemingly innocuous PWA/WebAPK wrappers first.)
- **TA0002 - Execution**
- T1486 - Data Encrypted for Impact
- T1486.003 - File System: Files Encrypted at Rest (If implementing ransomware-like features)
- **TA0005 - Defense Evasion**
- T1070 - Indicator Removal on Host
- T1070.004 - File Deletion (Explicitly mentioned capability: File Deletion)
## Functionality
### Core Capabilities (of Malicious Apps Created)
- File Deletion (targeting SDcard and system files).
- Game System Manipulation.
- Installation of Unnecessary Applications.
### Advanced Features (of Malicious Apps Created)
- Development of Remote Access Trojans (RATs), leveraging the base framework's ability to implement custom networking functions.
- Potential for evolution into more complex malware types due to the ability to extract projects for advanced development in Android Studio.
## Indicators of Compromise
- File Hashes:
- MD5: 2322d85ff13fcca817447922f0706dbb
- MD5: 430995dd2ec25c831574fa9edb5dee2d
- MD5: bc3ec9591db86ba73342013a5d2a0ff8
- MD5: be734e9be6d6a3a1a022c071812cb5c2
- File Names: N/A (Varies based on attacker creation)
- Registry Keys: N/A (Android specific persistence mechanisms would need analysis)
- Network Indicators: N/A (Specific C2 infrastructure not detailed in the context)
- Behavioral Indicators: Installation of an application downloaded via unusual vectors (e.g., third-party stores, links distributed via social engineering targeting users bypassing security warnings).
## Associated Threat Actors
- Threat actors who prefer rapid, low-skill development of Android malware. (No specific named groups mentioned in association with Sketchware usage in the text provided).
## Detection Methods
- Signature-based detection: Based on the known hashes provided.
- Behavioral detection: Monitoring for applications exhibiting file deletion activity, attempts to manipulate system settings/files, or establishing unauthorized remote connections indicative of RAT functionality.
- YARA rules: Not provided in the context.
## Mitigation Strategies
- Educate users against disabling security alerts and installing apps from unknown sources, even if the delivery method appears slightly unconventional (like a WebAPK wrapper).
- Continuously monitor for new applications distributed via non-standard Google Play channels or direct links provided via SMS/social media.
- Maintain updated security products to detect known malicious APK signatures derived from Sketchware projects.
## Related Tools/Techniques
- Progressive Web Apps (PWA)
- WebAPK (Mechanism used for delivery/launching malicious payloads)
***
# Tool/Technique: WebAPK
## Overview
WebAPK is a feature developed by Google, often associated with Progressive Web Apps (PWAs), where the Chrome browser generates a native Android APK form of a PWA when a user chooses to add it to their home screen. Attackers leverage this mechanism as an evasion technique, potentially using the WebAPK to silently redirect users to a phishing site or a direct malicious app download link, confusing the user about the actual danger.
## Technical Details
- Type: Application Utility/Delivery Mechanism
- Platform: Android (Utilized via Google Chrome)
- Capabilities: Converts PWA content into a launchable, native-looking APK installed on the Android launcher, granting browser independence for the packaged web content.
- First Seen: Context suggests ongoing use/potential for increased use to bypass standard malicious app detection.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise
- (Implied: Users are directed to a site that triggers the WebAPK installment, acting as the initial vector.)
- **TA0005 - Defense Evasion**
- T1566.002 - Phishing: Spearphishing Link
- (Delivery vector through social engineering pointing to the WebAPK installation trigger.)
## Functionality
### Core Capabilities
- Installation of perceived 'shortcuts' (WebAPKs) that run like independent apps.
- Low storage requirements compared to traditional apps.
### Advanced Features
- Evasion of traditional malicious app detection systems by appearing as a benign PWA installation process initiated by the OS/Browser, rather than a direct APK sideload.
- Can be used in a two-step attack: first installing the WebAPK redirector, then prompting the installation of the actual malicious app.
## Indicators of Compromise
- File Hashes: N/A (WebAPK file hashes associated with specific malware are not detailed, only generic malicious APK hashes were listed).
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: WebAPK activity would be characterized by connections to compromised sites used for hosting PWAs or malicious distribution points. Actual C2 indicators depend on the payload delivered post-WebAPK use.
- Behavioral Indicators: Creation and installation of an application via the "Add to Home Screen" function from Chrome that subsequently redirects to external, suspicious URLs or immediately prompts for further app installation.
## Associated Threat Actors
- International threat actors who have targeted specific banks using PWA/WebAPK techniques (though not explicitly named).
## Detection Methods
- Behavioral detection: Monitoring user interactions that lead to home screen additions via Chrome, especially when the content of the linked site is known to be suspicious or promotes further installation steps.
- Network Analysis: Tracking traffic originating from the WebAPK wrapper to known malicious domains or C2 servers.
## Mitigation Strategies
- Security awareness training emphasizing skepticism regarding unsolicited "install" prompts from web browsers, even if they appear native.
- Harden browser security settings to limit PWA installation behavior if possible, though this is often difficult without impacting legitimate PWA usage.
## Related Tools/Techniques
- Progressive Web Apps (PWA)
- Sketchware Pro (Used to generate the final stage malicious APK)