Android Malware (Analysis | Scoring) System

Overview

Black Hat Arsenal HITB rootcon defcon
build status codecov license python version PyPi Download
Telegram
An Obfuscation-Neglect Android Malware Scoring System

Quark-Engine is also bundled with Kali Linux, BlackArch. :shipit: A trust-worthy, practical tool that's ready to boost up your malware reverse engineering. https://twitter.com/quarkengine

Available In

asciicast

Why Quark?

Android malware analysis engine is not a new story. Every antivirus company has their own secrets to build it. With curiosity, we develop a malware scoring system from the perspective of Taiwan Criminal Law in an easy but solid way.

We have an order theory of criminal which explains stages of committing a crime. For example, crime of murder consists of five stages, they are determined, conspiracy, preparation, start and practice. The latter the stage the more we’re sure that the crime is practiced.

According to the above principle, we developed our order theory of android malware. We developed five stages to see if the malicious activity is being practiced. They are 1. Permission requested. 2. Native API call. 3. Certain combination of native API. 4. Calling sequence of native API. 5. APIs that handle the same register. We not only define malicious activities and their stages but also develop weights and thresholds for calculating the threat level of a malware.

Malware evolved with new techniques to gain difficulties for reverse engineering. Obfuscation is one of the most commonly used techniques. In this talk, we present a Dalvik bytecode loader with the order theory of android malware to neglect certain cases of obfuscation.

Our Dalvik bytecode loader consists of functionalities such as 1. Finding cross reference and calling sequence of the native API. 2. Tracing the bytecode register. The combination of these functionalities (yes, the order theory) not only can neglect obfuscation but also match perfectly to the design of our malware scoring system.

Easy to Use and Reading Friendly Report

Quark is very easy to use and also provides flexible output formats. There are 6 types of output reports: detail report, call graph, rules classification, summary report, label-based report, behaviors comparison radar chart. Please see below for more details.

Detail Report

This is how we examine a real android malware (candy corn) with one single rule (crime).

$ quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -d

and the report will look like:

There is the possibility to select only one label to filter the rules:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -d network

There is also the possibility to select only one rule:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -d 00058.json

Call Graph for Every Potential Malicious Activity

You can add the -g option to the quark command, and you can get the call graph (only those rules match with 100% confidence)

quark -a Ahmyth.apk -s -g

Rules Classification

You can add the -c option to the quark command, and you can output the rules classification with the mutual parent function (only those rules match with 100% confidence).

quark -a Ahmyth.apk -s -c

Summary Report

Examine with rules.

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -s

There is the possibility to select only one label to filter the rules:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -s network

There is also the possibility to select only one rule:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -s <path_to_rule_folder>/00058.json

(If you want to select one of the rules of Quark-Rule, the default path to Quark-Rule is $HOME/.quark-engine/quark -rules/.)

Label-based Report

Check which topic (indicated by labels) of the malware is more aggressive.

quark -a Ahmyth.apk -l detailed

Behaviors Comparison Radar Chart

With the following command, you can compare different APK actions based on the max confidence of rule labels and generate a radar chart.

quark -a first.apk -a second.apk -C

Parallelizing Quark

Now Quark supports multiprocessing for analyzing APKs parallelly, by adding the option --multi-process and set the number of processes. (the default is the number of CPUs in your computer.)

quark -a Ahmyth.apk -s --multi-process 4

Upcoming unstable feature

Now Quark also supports Rizin as one of our Android analysis frameworks. You can use option --core-library with rizin to enable the Rizin-based analysis library.

quark -a Ahmyth.apk -s --core-library rizin

QuickStart

Requirements

  • Python 3.8+
  • git
  • graphviz
  • click >= 8.0.1 (For CLI supports)

Installation

$ pip3 install -U quark-engine

Get the latest quark rules from our quark-rules repo

Now you can download the quark-rules to your home directory with a simple command.

$ freshquark

Check --help to see the detailed usage description.

$ quark --help

Test It Out

You may refer to the Quark Engine Document for more details of testing and development information.

Acknowledgments

The Honeynet Project

Honeynet.org logo

Google Summer Of Code

Quark-Engine has been participating in the GSoC under the Honeynet Project!

Stay tuned for the upcoming GSoC! Join the Honeynet Slack chat for more info.

Core Values of Quark Engine Team

  • We love battle fields. We embrace uncertainties. We challenge impossibles. We rethink everything. We change the way people think. And the most important of all, we benefit ourselves by benefit others first.
Comments
  • macOS Dependencies

    macOS Dependencies

    Dependencies error during the installation of the quark-engine on macOS Catalina - 10.15.7.

    Error : - pkg_resources.DistributionNotFound: The 'androguard==3.4.0a1' distribution was not found and is required by quark-engine

    Screenshot 2020-11-02 at 6 18 56 PM test-required issue-processing-state-01 
    opened by yashomer1994 16
  • Add quark script case for CWE 319

    Add quark script case for CWE 319

    Detect CWE-319 in Android Application (ovaa.apk)

    This scenario seeks to find the Cleartext Transmission of Sensitive Information. See CWE-319 for more details.

    Let's use this APK and the above APIs to show how the Quark script finds this vulnerability. This sample uses the package Retrofit to request Web APIs, but the APIs use cleartext protocols.

    We first design a detection rule setRetrofitBaseUrl.json to spot on behavior that sets the base URL of the Retrofit instance. Then, we loop through a custom list of cleartext protocol schemes and use API behaviorInstance.hasString to filter arguments that are URL strings with cleartext protocol.

    Quark Script CWE-319.py

    from quark.script import runQuarkAnalysis, Rule
    
    SAMPLE_PATH = "./ovaa.apk"
    RULE_PATH = "setRetrofitBaseUrl.json"
    
    PROTOCOL_KEYWORDS = [
        "http",
        "smtp",
        "ftp"
    ]
    
    
    ruleInstance = Rule(RULE_PATH)
    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
    
    for setRetrofitBaseUrl in quarkResult.behaviorOccurList: 
        for protocol in PROTOCOL_KEYWORDS:
            
            regexRule = f"{protocol}://[0-9A-Za-z./-]+"
            cleartextProtocolUrl = setRetrofitBaseUrl.hasString(regexRule, True)
            
            if cleartextProtocolUrl:
                print(f"CWE-319 detected!")
                print(f"Here are the found URLs with cleartext protocol:")
                print("\n".join(cleartextProtocolUrl))
    

    Quark Rule: setRetrofitBaseUrl.json

    {
        "crime": "Set Retrofit Base Url",
        "permission": [],
        "api": 
        [
            {
                "descriptor": "()V",
                "class": "Lretrofit2/Retrofit$Builder;",
                "method": "<init>"
            },
            {
                "descriptor": "(Ljava/lang/String;)Lretrofit2/Retrofit$Builder;",
                "class": "Lretrofit2/Retrofit$Builder;",
                "method": "baseUrl"
            }
        ],
        "score": 1,
        "label": []
    }
    

    Quark Script Result

    $ python3 CWE-319.py
    CWE-319 detected!
    Here are the found URLs with cleartext protocol:
    http://example.com./api/v1/
    
    pr-processing-state-06 
    opened by zinwang 12
  • Porting androguard to quark-engine

    Porting androguard to quark-engine

    Porting androguard version 3.4 to quark-engine project to prevent androguard from no longer being maintained.

    In the past using androguard, we all have to rely on pip install androguard from Github, but there is a problem, if something goes wrong with androguard, quark-engine might crash.

    But in fact, we only need the decompile function of androguard, so I ported this function to our project.

    In addition to improving the stability of quark-engine, it also increases the speed of pipenv installation.

    enhancement not ready 
    opened by krnick 11
  • Add Quark Script APIs to detect CWE-532

    Add Quark Script APIs to detect CWE-532

    Detect CWE-532 in Android Application (dvba.apk)

    This scenario seeks to find insertion of sensitive information into Log file. See CWE-532 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    First, we use API findMethodInAPK to locate the method log.d. Then we use API methodInstance.getArguments to get the argument that input to log.d. Finally, we use keywords such as "token", "password", and "decrypt" to check if arguments include sensitive data. If the answer is YES, that may cause sensitive data leakage into log file.

    You can use your own keywords in the keywords list to detect sensitive data.

    API Spec

    findMethodInAPK(samplePath, targetMethod)

    • Description: Find the target method in APK
    • params:
      1. samplePath: Target file
      2. targetMethod: A python list contains class name, method name, and descriptor of target method
    • return: python list contains caller method instance of target method

    Detect CWE-532 in Android Application (dvba.apk)

    Quark Script CWE-532.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "dvba.apk"
    TARGET_METHOD = [
        "Landroid/util/Log;",                       # class name
        "d",                                        # method name
        "(Ljava/lang/String; Ljava/lang/String;)I"  # descriptor
    ]
    CREDENTIAL_KEYWORDS = [
        "token",
        "decrypt",
        "password"
    ]
    
    methodsFound = findMethodInAPK(SAMPLE_PATH, TARGET_METHOD)
    
    for debugLogger in methodsFound:
        arguments = debugLogger.getArguments()
    
        for keyword in CREDENTIAL_KEYWORDS:
            if keyword in arguments[1]:
                print(f"CWE-532 is detected in method, {debugLogger.fullName}") 
    

    Quark Script Result

    $ python CWE-532.py 
    CWE-532 is detected in method, Lcom/google/firebase/auth/FirebaseAuth; d (Lc/c/b/h/o;)V
    
    pr-processing-state-04 
    opened by pulorsok 10
  • Add new feature to get url and ips from apk string

    Add new feature to get url and ips from apk string

    Use the following code can get the url and the ip address:

    from androguard.misc import AnalyzeAPK
    import re
    
    a,d,dx= AnalyzeAPK("Ahmyth.apk")
    
    
    ipv4_address = re.compile(r"\b(?:[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-2][0-3])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\b")
    
    regex = r"(?i)\b((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:'\".,<>?«»“”‘’]))"
    
    
    
    for i in dx.get_strings():
        url = re.findall(regex,i.get_value())
    
        if url:
    
            print("[URL Found]")
    
            print([x[0] for x in url])
    
        ips = re.findall(ipv4_address,i.get_value())
    
        if ips:
    
            print("[IP Found]")
    
            print(ips)
    
    
    enhancement 
    opened by krnick 10
  • Help section for --multi-process

    Help section for --multi-process

    Help section for --multi-process made more descriptive in respect to max number of process that can be used. w.r.t issue https://github.com/quark-engine/quark-engine/issues/315

    documentation 
    opened by PaulNicolasHunter 9
  • Refactor/enrich the rest of Quark's tests

    Refactor/enrich the rest of Quark's tests

    Description

    Please refer here. For the replacement of Androguard, I want to write tests to improve the test coverage of Quark. This is the final PR. (You can find the previous PR here )

    In this PR, I focus on these files.

    • quark/Objects/analysis.py
    • quark/Objects/quarkrule.py
    • quark/report.py
    • quark/freshquark.py
    • all seven files in quark/utils (colors.py, graph.py, pprint.py, output.py, etc.)

    Code Changes

    • For the existing tests: Divide them by their test scenarios.
    • For the new tests: Add them according to two strategies and the coding guideline discussed in the above issue.

    | Files | # Tests added for normal inputs | # Tests added for error inputs | # Tests modified | | ------------------- | :-----------------------------: | :----------------------------: | :--------------: | | test_analysis.py | 1 | 0 | 0 | | test_quarkrule.py | 1 | 4 | - | | test_report.py | 4 | 6 | - | | test_freshquark.py | 2 | 0 | - | | test_colors.py | 1 | 0 | - | | test_graph.py | 3 | 0 | - | | test_output.py | 3 | 0 | - | | test_pprint.py | 5 | 0 | - | | test_regex.py | 11 | 3 | - | | test_tools.py | 5 | 1 | 1 | | test_weight.py | 0 | 0 | 3 | | Total | 36 | 14 | 4 |

    Related Discussions

    1. issue https://github.com/quark-engine/gsoc2021-ShengFengLu/issues/1
    2. Discussion https://github.com/quark-engine/quark-engine/discussions/173
    enhancement 
    opened by haeter525 9
  • Creation of option to print Report based on Label Rules

    Creation of option to print Report based on Label Rules

    With the following pull request we (me, @cryptax, @Dil3mm3 and @3aglew0) propose you to add another option to print a report based on labels specified inside a rule.

    We have noticed they are not used and it could be interesting to print a short report taking into consideration these values. Here an example of output where it is printed for each label (found inside the rules) a description (see explanation below), the number of rules where this label is contained and other detailes described better below.

    example_of_output

    This option permits to print a report based on label with two different levels of details

    1. quark -a malware_to_be_analysed.apk -r rule_dir -l max print the maximum score for each label (as image above), this would permit us to understand in which topic (represented by label) a malware is more aggressive. For example, looking at the previous output we can see the malware performs with success malicious action related to location, calllog and sms.
    2. quark -a malware_to_be_analysed.apk -r rule_dir -l detailed print a detail report with all the previous information plus:
      • Number of rules (with that label) which have a score >= 80%
      • Average score and standard deviation (computed over the all the scores obtained by that specific label). Interesting considerations could be the following: label with high average and low standard deviation would allow us to say the malware performs a series of malicious actions (with success); then, a high standard deviation means there are some rules which take high score so the malware performs with success only some actions with that label; finally, a low standard deviation and a low average on a certain label means the malware is not performing malicious action on that topic. Example of output:

    output_detailed_report

    The column description allows to add a short and representative sentence about a label, for example for the callog the relative description is Retrieve or manipulate sensitive data from call log. In order to implement a flexible solution we have thought to add a csv file in the same directory of rules with the following structure label,description. We have chosen csv extension because it is easy to manipulate and it wasn't possible to use a json format since in that folder all json files are interpreted as rules. If this file is not present or a label,description pair is absent, the corresponding cell in the label report is filled with -. Example of output

    output_with_desc

    I leave here a sample of the csv file to be put in the folder of the rules (label_desc.csv)

    Do not hesitate to contact me for any type of clarification

    enhancement 
    opened by ciastron 9
  • [#444] Adjust CWE Show Case format in README.md.

    [#444] Adjust CWE Show Case format in README.md.

    CWE Showcases

    • CWE-020 Improper Input Validation
    • CWE-089 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-094 Improper Control of Generation of Code ('Code Injection')
    • CWE-312 Cleartext Storage of Sensitive Information
    • CWE-319 Cleartext Transmission of Sensitive Information
    • CWE-327 Use of a Broken or Risky Cryptographic Algorithm
    • CWE-532 Insertion of Sensitive Information into Log File
    • CWE-749 Exposed Dangerous Method or Function
    • CWE-780 Use of RSA Algorithm without OAEP
    • CWE-798 Use of Hard-coded Credentials
    • CWE-921 Storage of Sensitive Data in a Mechanism without Access Control
    • CWE-926 Improper Export of Android Application Components
    work-in-progress pr-processing-state-06 
    opened by PoJenC 7
  • Add new feature for generate Quark web report

    Add new feature for generate Quark web report

    Add new feature for generate Quark report. With the following command, we can easily analyze the Android sample and output the web report.

    See the demo here.

    quark -a sample.apk -s -w quark_report.html
    

    pr-processing-state-05 
    opened by pulorsok 7
  • Have Click as an optional dependency

    Have Click as an optional dependency

    Hey everyone!

    Is your feature request related to a problem? Please describe. Quark does not separate optional dependency, like Click, from required dependency (I suppose everything else). Since Quark can be used as a module, and in this case Click it is not required at all, will solve some compatibility issues with other libraries, i.e. celery >= 5.0.0.

    Describe the solution you'd like

    Use the Optional Dependency feature in setup.py to separate the Click package from the remaining requirements. Explain in Readme.md how the user should call setup.py to be able to use the cli commands

    Describe alternatives you've considered None

    Additional context

    If the solution is considered acceptable, or another solution that I did not think of, for this issue is found, I can work on the implementation and the PR myself.

    dependencies 
    opened by 0ssigeno 7
  • Add quark script case for CWE 328

    Add quark script case for CWE 328

    Detect CWE-328 in Android Application (allsafe.apk)

    This scenario seeks to find the use of weak Hash. See CWE-328 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    First, we use API findMethodInAPK(samplePath, targetMethod) to find the method MessageDigest.getInstance(). Next, we use API methodInstance.getArguments() with a list to check if the method uses weak hashing algorithms. If YES, that causes CWE-328 vulnerability.

    Quark Script CWE-328.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "./allsafe.apk"
    
    TARGET_METHOD = [
        "Ljava/security/MessageDigest;",                        # class name
        "getInstance",                                          # method name
        "(Ljava/lang/String;)Ljava/security/MessageDigest;"     # descriptor
    ]
    
    HASH_KEYWORDS = [
        "MD2",
        "MD4",
        "MD5",
        "PANAMA",
        "SHA-0",
        "SHA-1",
        "HAVAL-128",
        "RIPEMD-128"
    ]
    
    methodsFound = findMethodInAPK(SAMPLE_PATH, TARGET_METHOD)
    
    for setHashAlgo in methodsFound:
        arguments = setHashAlgo.getArguments()
    
        for keyword in HASH_KEYWORDS:
            if keyword in arguments[0]:
                print(f"CWE-328 is detected in method, {setHashAlgo.fullName}")
    

    Quark Script Result

    $ python CWE-328.py
    CWE-328 is detected in method, Lcom/google/firebase/database/core/utilities/Utilities; sha1HexDigest (Ljava/lang/String;)Ljava/lang/String;
    CWE-328 is detected in method, Linfosecadventures/allsafe/challenges/WeakCryptography; md5Hash (Ljava/lang/String;)Ljava/lang/String;
    CWE-328 is detected in method, Linfosecadventures/allsafe/challenges/SQLInjection; md5 (Ljava/lang/String;)Ljava/lang/String;
    
    opened by zinwang 1
  • [Quark#446] Add quark script case for CWE-295

    [Quark#446] Add quark script case for CWE-295

    Detect CWE-295 in Android Application (InsecureShop.apk)

    This scenario seeks to find Improper Certificate Validation. See CWE-295 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    We use the API findMethodInAPK to locate all SslErrorHandler.proceed methods. Then we need to identify whether the method WebViewClient.onReceivedSslError is overridden by its subclass.

    First, we check and make sure that the MethodInstance.name is onReceivedSslError, and the MethodInstance.descriptor is (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V.

    Then we use the method API MethodInstance.findSuperclassHierarchyto get the supclass list of the method's caller class.

    Finally, we check the Landroid/webkit/WebViewClient; is on the supclass list. If YES , that may cause CWE-295 vulnerability.

    API Spec

    MethodInstance.findSuperclassHierarchy()

    • Description: Find all superclass hierarchy of this method object.
    • params: None
    • Return: Python list contains all superclas's name of the this method.

    Quark Script CWE-295.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "insecureShop.apk"
    TARGET_METHOD = [
        "Landroid/webkit/SslErrorHandler;",  # class name
        "proceed",                          # method name
        "()V"                               # descriptor
    ]
    OVERRIDE_METHOD = [
        "Landroid/webkit/WebViewClient;",  # class name
        "onReceivedSslError",              # method name
        # descriptor
        "(Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V"
    ]
    
    for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
        if (sslProceedCaller.name == OVERRIDE_METHOD[1] and
           sslProceedCaller.descriptor == OVERRIDE_METHOD[2] and
           OVERRIDE_METHOD[0] in sslProceedCaller.findSuperclassHierarchy()):
            print(f"CWE-295 is detected in method, {sslProceedCaller.fullName}")
    
    

    Quark Script Result

    $python3 CWE-295.py
    Requested API level 29 is larger than maximum we have, returning API level 28 instead.
    CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V
    
    work-in-progress pr-processing-state-05 
    opened by PoJenC 3
  • Add quark script case for CWE-295

    Add quark script case for CWE-295

    Detect CWE-295 in Android Application (InsecureShop.apk)

    This scenario seeks to find Improper Certificate Validation. See CWE-295 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    We use the API findMethodInAPK to locate all SslErrorHandler.proceed methods. Then we need to identify whether the method WebViewClient.onReceivedSslError is overridden by its subclass.

    First, we check and make sure that the MethodInstance.name is onReceivedSslError, and the MethodInstance.descriptor is (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V.

    Then we use the method API MethodInstance.findSuperclassHierarchyto get the supclass list of the method's caller class.

    Finally, we check the Landroid/webkit/WebViewClient; is on the supclass list. If YES , that may cause CWE-295 vulnerability.

    API Spec

    MethodInstance.findSuperclassHierarchy()

    • Description: Find all superclass hierarchy of this method object.
    • params: None
    • Return: Python list contains all superclas's name of the this method.

    Quark Script CWE-295.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "insecureShop.apk"
    TARGET_METHOD = [
        "Landroid/webkit/SslErrorHandler;",  # class name
        "proceed",                          # method name
        "()V"                               # descriptor
    ]
    OVERRIDE_METHOD = [
        "Landroid/webkit/WebViewClient;",  # class name
        "onReceivedSslError",              # method name
        # descriptor
        "(Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V"
    ]
    
    for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
        if (sslProceedCaller.name == OVERRIDE_METHOD[1] and
           sslProceedCaller.descriptor == OVERRIDE_METHOD[2] and
           OVERRIDE_METHOD[0] in sslProceedCaller.findSuperclassHierarchy()):
            print(f"CWE-295 is detected in method, {sslProceedCaller.fullName}")
    
    

    Quark Script Result

    $python3 CWE-295.py
    Requested API level 29 is larger than maximum we have, returning API level 28 instead.
    CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V
    
    issue-processing-state-03 
    opened by PoJenC 0
  • Add docs for CWE team

    Add docs for CWE team

    Quark CWE team

    The Quark CWE team is responsible for developing Quark Scripts to detect Common Weakness Enumeration (CWE) vulnerabilities in APKs. We also maintain the Quark Script document, API, and repository.

    Goals for 2023

    Our goals for 2023 consist of three stages. First, we will focus on increasing the number of CWE Quark Scripts to 30 and optimizing the Quark Script API by developing CWE Quark Scripts.

    Next, with a sufficient number of Quark Scripts, we will develop a system to automatically detect vulnerabilities in online APKs.

    Finally, based on the sufficient and quality Quark Script API, we will focus on developing a web system that allows users to easily combine Quark Script APIs and create their own scripts without any coding knowledge.

    Responsibilities

    We aims to make the Quark Script development process as straightforward as possible, while ensuring that the scripts are accurate and reliable. We strive to create clear and concise documentation, as well as well-designed APIs that are easy to use. Our responsibilities include:

    • Developing Quark Scripts through a five-step process:
      1. Choosing a CWE number and clearly explaining the vulnerability definition.
      2. Finding an APK sample and explaining the vulnerable code.
      3. Designing the detection process step by step.
      4. Defining a new Quark Script API (including description, input, and output) if necessary.
      5. Developing the Quark Script in a clear and easy-to-use manner.
    • Managing the Quark Script repository by:
      • Updating the repository with new Quark Scripts.
      • Updating the documentation for Quark Scripts.
    • Maintaining the Quark Script API by:
      • Developing test units for each Quark Script API.
      • Reviewing and modifying the description, input, and output for each API.

    We aim to ensure that all of our work is easy to read and follows proper grammar and usage.

    documentation pr-processing-state-05 
    opened by pulorsok 2
  • Inconsistent format of method names in Quark Script doc

    Inconsistent format of method names in Quark Script doc

    Describe the bug

    When referring to a method or file in the Quark Script showcases, we mark the name with backticks to make it easy to distinguish (e.g., configureJsExecution.json). However, some showcases in the Quark Script doc don't follow this practice.

    For example, the CWE-94 showcase doesn't mark the method name with backticks.

    cwe94

    the CWE-780 showcase shows the method name in italics font.

    cwe780

    Describe the solution you'd like

    Unify the format of method names. For example, we could mark them with backticks.

    documentation enhancement 
    opened by haeter525 0
Releases(v22.12.1)
  • v22.12.1(Dec 28, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-20 and CWE-79. (https://github.com/quark-engine/quark-engine/pull/434 and https://github.com/quark-engine/quark-engine/pull/436)
    Source code(tar.gz)
    Source code(zip)
  • v22.11.1(Nov 30, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-319 and CWE-327. (#413 and #428)

    Here's the relevant document.

    UI Enhancements

    • Fix typos in Quark Web Report. (#414 and #419)
    • Make grid lines in Quark Web Report more visible. (#419)

    Document enhancements

    • Spotlight Quark Script in README. (#424)
    • Add Quark Script Quick Start instruction. (#422)
    Source code(tar.gz)
    Source code(zip)
  • v22.10.1(Oct 26, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-532 and CWE-780. (#396 and #399)

    Here's the relevant document.

    Bug Fix

    • Fix CLI giving outdated path to the default ruleset. (#389)

    New Program

    • Introduce Quark MIT Program.
    Source code(tar.gz)
    Source code(zip)
  • v22.9.1(Sep 29, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-89, CWE-926, CWE-312, and CWE-749. (#377, #381, #379, and #374)

    Here's the relevant document.

    New Core Members

    • Introduce new core members, AnWei Kung, Zin Wong, and Zee. (#387)

    Package Dependency Update

    • Add frida and ciphey as the dependencies. (#374)
    Source code(tar.gz)
    Source code(zip)
  • v22.7.1(Jul 27, 2022)

    New Features

    • Present a new powerful project, Quark Script! (#371)
    • Add new Quark Script APIs for CWE-94, CWE-798, and CWE-921 detection. (#372, #373, and 998947d)

    Please check here for the full document.

    Document enhancement

    • Enhance README to make it user-friendly. (#366)

    Dependency updates

    • Specify CI to use Meson 0.62.0. (#368)
    • Bump lxml from 4.8.0 to 4.9.1. (#370)
    Source code(tar.gz)
    Source code(zip)
  • v22.6.1(Jun 29, 2022)

  • v22.5.1(May 25, 2022)

    New Features

    • Introduce a new visualization of analysis results, the Quark web report. (#345)
    • Add support for loading rules recursively. (#346)

    Bug Fixes

    • Update CI tests for the audio recording ruleset. (#341)
    • Update CI tests for the contact info accessing ruleset. (#343)

    Other

    • Rearrange the file structure of the default ruleset. (quark-rules#26)
    • Remove outdated content in README. (#348)
    • Update the author information in the PiPy package. (#351)
    Source code(tar.gz)
    Source code(zip)
  • v22.4.1(Apr 27, 2022)

    New feature

    • Introduce the rule generation feature, Radiocontrast. (#325)

    Bug fix

    • Update smoke test for the release of the SMS message stealing ruleset. (#327)
    Source code(tar.gz)
    Source code(zip)
  • v22.3.1(Mar 28, 2022)

    New features

    • Add a limit to the number of processes available for parallel analysis. Thank @PaulNicolasHunter for this work. (#311 and #315)
    • Update analysis library for Rizin v0.3.0 and above. (#314)

    Dependency update

    • Update pillow from 9.0.0 to 9.0.1. (#311)
    Source code(tar.gz)
    Source code(zip)
  • v22.2.1(Feb 15, 2022)

    Bug fixed

    • AttributeError occured when using Rizin as the core library. (#301)

    Dependencies update

    • Specify the minimal supported version of prettytable to 1.0.0. (#304)
    • Update pillow from 8.4.0 to 9.0.0. (#300)
    • Update ipython from 8.0.0 to 8.0.1. (#303)
    Source code(tar.gz)
    Source code(zip)
  • v22.1.1(Jan 4, 2022)

  • v21.11.2(Nov 25, 2021)

    Bugs fixed

    • Fix missing comma in Debian/control. Thanks to @Hagb for this patch. (#278)
    • Fix import errors with Graphviz 0.18. Thanks to @nplesak for this patch. (#288)

    Dependency update

    • Specify the highest compatible versions of the dependency packages. (#290)
    Source code(tar.gz)
    Source code(zip)
  • v21.11.1(Nov 2, 2021)

    New Feat

    • behaviors_comparison_radar_chart can save as images now. Thanks to @matteodalgrande for contributing the feature. (#273)

    Bugs fixed

    • Remove tqdm on loading rule files. (#270)
    • Add try-catch block to prevent potential crash problems. (#276)
    • Fix JSON report format that caused Jadx and APKLab to fail to load. (#277, #281)

    Dependency update

    • Required Python version changed from 3.7 to 3.8. (#267)
    Source code(tar.gz)
    Source code(zip)
  • v21.10.2(Oct 6, 2021)

    New Feat

    1. Quark-Engine can detect APIs in the extended classes now. (#247)
    2. Rules can write into an array to reduce the number of files and IO. (#248)
    3. Graph data can be dump in JSON format. (#250)
    4. Improve the detail report and JSON report when rules reached 60%. (#254)
    5. Add FAQ page and Organization page into the document. (#241, #253, #255)

    Bugs fixed

    1. Add hints when using freshquark and specifying rules. (#244)
    2. Reduce file IO on loading rules. (#248)
    3. Spaces between arguments in rules are no longer needed. (#249)

    Dependency update

    1. Update pillow from 8.3.1 to 8.3.2. (#246)
    Source code(tar.gz)
    Source code(zip)
  • v21.10.1(Oct 6, 2021)

    New Feat

    1. Quark-Engine can detect APIs in the extended classes now. (#247)
    2. Rules can write into an array to reduce the number of files and IO. (#248)
    3. Graph data can be dump in JSON format. (#250)
    4. Improve the detail report and JSON report when rules reached 60%. (#254)
    5. Add FAQ page and Organization page into the document. (#241, #253, #255)

    Bugs fixed

    1. Add hints when using freshquark and specifying rules. (#244)
    2. Reduce file IO on loading rules. (#248)
    3. Spaces between arguments in rules are no longer needed. (#249)

    Dependency update

    1. Update pillow from 8.3.1 to 8.3.2. (#246)
    Source code(tar.gz)
    Source code(zip)
  • v21.8.1(Aug 24, 2021)

    1. Change travis CI to Github Actions
    2. Supports parallel analysis
    3. Optimize the performance
    4. Fix graph recursion issue
    5. Fully support Rizin analysis
    6. Disable logging in Quark API usage
    7. Fix threshold filtering in the detailed report
    Source code(tar.gz)
    Source code(zip)
  • v21.7.2(Jul 20, 2021)

  • v21.7.1(Jul 15, 2021)

    1. Support a new Android reversing engineer framework, Rizin to analyze the APK. (#205)
    2. Making click package optional to install. (#214) @0ssigeno
    3. Improve the tainted analysis by @haeter525 in bytecode loader
    4. Add an Optional Parameter Filter For JSON Rules (#212)
    5. Adjust some directory names. Objects->core, Evaluator->evaluator.
    6. Add VirusTotal analysis module by @pulorsok. (#195)
    7. More tests for Quark by @haeter525. (#189)
    8. Add a new feature to show Parent Functions' Cross-References In Rule Classification by @haeter525. (#192)
    Source code(tar.gz)
    Source code(zip)
  • v21.6.3(Jun 24, 2021)

  • v21.6.2(Jun 9, 2021)

    1. Refactor the code in graph.py and cli interface.

    2. Replace the prompt package simple-term-menu with the prompt-toolkit package to support windows/Mac/Linux and Kali Linux.

    3. Adjust the description in the click option to make the word more precise.

    4. Add new option to show the version of quark

    Source code(tar.gz)
    Source code(zip)
  • v21.6.1(Jun 7, 2021)

    New features:

    1. Behaviors comparison radar chart for different APKs. (#171)
    2. Support summary report and detail report for single rule/label. (#176)

    Update:

    1. Remove duplicate code.
    2. Lock version instead of installing the latest package, such as click package for better stability.
    3. Update new command-line usage on documentation.
    Source code(tar.gz)
    Source code(zip)
  • v21.5.1(May 28, 2021)

    1. Add a new report to Quark-Engine, which is a label-based report(PR from #165)
    2. Support the summary report and detailed report for a single rule/label analysis (PR from #167)
    3. update the documentation for more usage of Quark
    4. Add new python package dependency, python3-pandas in Debian/control.

    Special thanks to @cryptax, @Dil3mm3, @ciastron, and @3aglew0 for their excellent work!

    Source code(tar.gz)
    Source code(zip)
  • v21.4.3(Apr 7, 2021)

  • v21.4.2(Apr 7, 2021)

  • v21.4.1(Apr 7, 2021)

    1. Move the log file to the current directory.
    2. Make freshquark available for download the latest rules via git clone and update via git pull inside.
    3. Modify the settings of the debian package.
    Source code(tar.gz)
    Source code(zip)
  • v21.3.4(Mar 30, 2021)

    1. Add command-line options to display methods including native Android API, custom method and all methods.
    2. Delete the automatic check for rules updates in the CLI.
    3. Do not delete the existing quark-rules git directory.
    4. Promote honeynet and GSoC.
    5. Quark will be added to Kali Linux in the near future.
    6. change the log file to current directory
    Source code(tar.gz)
    Source code(zip)
  • v21.3.3(Mar 13, 2021)

  • v21.3.2(Mar 9, 2021)

    1. Redesigned Quark's rules to make it easier to write.
    {
        "crime": "Get absolute path of file and put it to JSON object",
        "permission": [],
        "api": [
            {
                "class": "Ljava/io/File;",
                "method": "getAbsolutePath",
                "descriptor": "()Ljava/lang/String;"
            },
            {
                "class": "Lorg/json/JSONObject;",
                "method": "put",
                "descriptor": "(Ljava/lang/String; Ljava/lang/Object;)Lorg/json/JSONObject;"
            }
        ],
        "score": 1,
        "label": [
            "file"
        ]
    }
    
    Source code(tar.gz)
    Source code(zip)
  • 21.3.1(Mar 8, 2021)

  • v21.02.2(Feb 26, 2021)

    1. Better wording in the command line.
    2. Add feature of outputing Android API in command line with option -i.
    3. Fix some regular expression in forensic module.
    4. Fix the score sum issue.
    5. Remove duplicated crime description in rule classification.
    6. More test case with previous modules

    We got accepted by Black Hat Asia 2021 !!!

    Source code(tar.gz)
    Source code(zip)
Malware arcane - Scripts and notes on my malware analysis journey

Malware Arcane Repository of notes and scripts I use when doing malware analysis

null 9 Jun 1, 2022
Android Malware Behavior Deleter

Android Malware Behavior Deleter UDcide UDcide is a tool that provides alternative way to deal with Android malware. We help you to detect and remove

null 27 Sep 23, 2022
A small utility to deal with malware embedded hashes.

Uchihash is a small utility that can save malware analysts the time of dealing with embedded hash values used for various things such as: Dyn

Abdallah Elshinbary 48 Dec 19, 2022
Malware Configuration And Payload Extraction

CAPEv2 (Python3) has now been released CAPEv2 With the imminent end-of-life for Python 2 (January 1 2020), CAPEv1 will be phased out. Please upgrade t

Context Information Security 701 Dec 27, 2022
Malware Configuration And Payload Extraction

CAPE: Malware Configuration And Payload Extraction CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of mal

Kevin O'Reilly 1k Dec 30, 2022
A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck

Malware Configuration Extractor A Malware Configuration Extraction Tool and Modules for MalDuck This project is FREE as in FREE ?? , use it commercial

c3rb3ru5 103 Dec 18, 2022
This repository is one of a few malware collections on the GitHub.

This repository is one of a few malware collections on the GitHub.

Andrew 1.7k Dec 28, 2022
An IDA pro python script to decrypt Qbot malware string

Qbot-Strings-Decrypter An IDA pro python script to decrypt Qbot malware strings.

stuckinvim 6 Sep 1, 2022
Discord Token Stealer Malware Protection

TokenGuard TokenGuard, protect your account, prevent token steal. Totally free and open source Discord Server: https://discord.gg/EmwfaGuBE8 Source Co

null 10 Nov 23, 2022
A way to analyse how malware and/or goodware samples vary from each other using Shannon Entropy, Hausdorff Distance and Jaro-Winkler Distance

A way to analyse how malware and/or goodware samples vary from each other using Shannon Entropy, Hausdorff Distance and Jaro-Winkler Distance

null 11 Nov 15, 2022
A guide to building basic malware in Python by implementing a keylogger application

Keylogger-Malware-Project A guide to building basic malware in Python by implementing a keylogger application. If you want even more detail on the Pro

Noah Davis 1 Jan 11, 2022
A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms

A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms. Change the Blackgound image of targets' computer. and decrypt the targets' encrypted files in our own computer

Li Ka Lok 2 Dec 2, 2022
Detection tool of malware(s) by checksum (useful for forensic)

?? malware_checker.py Detection tool of malware(s) by checksum (useful for forensic) ?? Dependencies installation $ pip3 install -r requirements.txt

Fayred 1 Jan 30, 2022
Huskee: Malware made in Python for Educational purposes

???????????? Caracteristicas: Discord Token Grabber Wifi Passwords Grabber Googl

chew 4 Aug 17, 2022
Arbitrium is a cross-platform, fully undetectable remote access trojan, to control Android, Windows and Linux and doesn't require any firewall exceptions or port forwarding rules

About: Arbitrium is a cross-platform is a remote access trojan (RAT), Fully UnDetectable (FUD), It allows you to control Android, Windows and Linux an

Ayoub 861 Feb 18, 2021
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Pupy Installation Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to u

null 7.4k Jan 4, 2023
Data Recovery from your broken Android phone

Broken Phone Recovery a guide how to backup data from your locked android phone if you broke your screen (and more) you can skip some steps depending

v1nc 25 Sep 23, 2022
SARA - Simple Android Ransomware Attack

SARA - Simple Android Ransomware Attack Disclaimer The author is not responsible for any issues or damage caused by this program. Features User can cu

Termux Hackers 99 Jan 4, 2023
adb - A tool that allows you to search for vulnerable android devices across the world and exploit them.

adb - An exploitation tool for android devices. A tool that allows you to search for vulnerable android devices across the world and exploit them. Fea

null 136 Jan 2, 2023