Categories: Kali Linux

Quark Engine : An Obfuscation-Neglect Android Malware Scoring System

Quark Engine is an Obfuscation-Neglect Android Malware Scoring System. Android malware analysis engine is not a new story. Every antivirus company has their own secrets to build it. With curiosity, we develop a malware scoring system from the perspective of Taiwan Criminal Law in an easy but solid way.

We have an order theory of criminal which explains stages of committing a crime. For example, crime of murder consists of five stages, they are determined, conspiracy, preparation, start and practice. The latter the stage the more we’re sure that the crime is practiced.

According to the above principle, we developed our order theory of android malware. We develop five stages to see if the malicious activity is being practiced. They are 1. Permission requested. 2. Native API call. 3. Certain combination of native API. 4. Calling sequence of native API. 5. APIs that handle the same register. We not only define malicious activities and their stages but also develop weights and thresholds for calculating the threat level of a malware.

Malware evolved with new techniques to gain difficulties for reverse engineering. Obfuscation is one of the most commonly used techniques. In this talk, we present a Dalvik bytecode loader with the order theory of android malware to neglect certain cases of obfuscation.

Our Dalvik bytecode loader consists of functionalities such as 1. Finding cross reference and calling sequence of the native API. 2. Tracing the bytecode register. The combination of these functionalities (yes, the order theory) not only can neglect obfuscation but also match perfectly to the design of our malware scoring system.

Detail Report

This is a how we examine a real android malware (candy corn) with one single rule (crime).

$ quark -a sample/14d9f1a92dd984d6040cc41ed06e273e.apk \
-r rules/ \
–detail

Summary Report

Examine with rules.

quark -a sample/14d9f1a92dd984d6040cc41ed06e273e.apk \
-r rules/ \
–summary

Installation

$ git clone https://github.com/quark-engine/quark-engine.git; cd quark-engine/quark
$ pipenv install –skip-lock
$ pipenv shell

Make sure your python version is 3.7, or you could change it from Pipfile to what you have.

Usage

$ quark –help
Usage: quark [OPTIONS]

Quark is an Obfuscation-Neglect Android Malware Scoring System

Options:
-s, –summary show summary report
-d, –detail show detail report
-a, –apk FILE APK file [required]
-r, –rule DIRECTORY Rules folder need to be checked [required]
–help Show this message and exit.

R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

19 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

19 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

3 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

4 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago