Quark-Engine Android Malware Analysis and Scoring System
Quark-Engine Android Malware Analysis and Scoring System

Quark-Engine: Android Malware (Analysis | Scoring System)

Quark-Engine is also bundled with BlackArch. A trust-worthy, practical tool that’s ready to boost up your malware reverse engineering.

Why Quark?

Android malware analysis engine is not a new story. Every antivirus company has their own secrets to build it. With curiosity, we develop a malware scoring system from the perspective of Taiwan Criminal Law in an easy but solid way.

We have an order theory of criminal which explains stages of committing a crime. For example, crime of murder consists of five stages, they are determined, conspiracy, preparation, start and practice. The latter the stage the more we’re sure that the crime is practiced.

According to the above principle, we developed our order theory of android malware. We developed five stages to see if the malicious activity is being practiced. They are 1. Permission requested. 2. Native API call. 3. Certain combination of native API. 4. Calling sequence of native API. 5. APIs that handle the same register. We not only define malicious activities and their stages but also develop weights and thresholds for calculating the threat level of a malware.

Malware evolved with new techniques to gain difficulties for reverse engineering. Obfuscation is one of the most commonly used techniques. In this talk, we present a Dalvik bytecode loader with the order theory of android malware to neglect certain cases of obfuscation.

Our Dalvik bytecode loader consists of functionalities such as 1. Finding cross reference and calling sequence of the native API. 2. Tracing the bytecode register. The combination of these functionalities (yes, the order theory) not only can neglect obfuscation but also match perfectly to the design of our malware scoring system.

Easy to Use and Reading Friendly Report

Quark is very easy to use and also provides flexible output formats. There are 3 types of output report: detail report, call graph, and summary report. Please see below for more details.

Detail Report

This is a how we examine a real android malware (candy corn) with one single rule (crime).

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -d

and the report will look like:

An Obfuscation-Neglect Android Malware Scoring System
An Obfuscation-Neglect Android Malware Scoring System

Call Graph for Every Potential Malicious Activity

You can add the -g option to the quark command, and you can get the call graph (only those rules match with 100% confidence)

quark -a Ahmyth.apk -s -g
Potential Malicious Activity
Potential Malicious Activity

Rules Classification

You can add the -c option to the quark command, and you can output the rules classification with mutual parent function (only those rules match with 100% confidence).

quark -a Ahmyth.apk -s -c
Rules Classification Quark
Rules Classification Quark

Summary Report

Examine with rules.

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -s
Summary Report Quark
Summary Report Quark

QuickStart

Requirements

  • Python 3.7+
  • git
  • graphviz

Installation

pip install -U quark-engine

Quark now has a sweet feature that helps users to get the latest detection rules daily.

Get the latest quark rules from our quark-rules repo

freshquark

Check --help to see the detailed usage description.

quark --help

You may refer to the Quark Engine Document for more details of testing and development information.

More Stories
Phirautee A Proof of Concept Crypto Virus
Phirautee: A Proof of Concept Crypto Virus