View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0007082||Kali Linux||[All Projects] Queued Tool Addition||public||2021-03-09 03:47||2021-03-29 07:54|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Target Version||Fixed in Version|
|Summary||0007082: Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System|
|Description||Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System|
- [Name] - Quark-Engine
- [Version] - 21.3.1
- [Homepage] - https://github.com/quark-engine/quark-engine
- [Download] - https://github.com/quark-engine/quark-engine/releases
- [Author] - JunWei Song(krnick)
- [Licence] - GPL v3
- [Description] - Quark-Engine is a full-featured Android analysis framework written in Python for hunting threat intelligence inside the APK, DEX files. Since it is rule-based, you can use the ones built-in or customize as needed.
With ideas decoded from criminal law, Quark-Engine has its unique angles for Android analysis. We developed a Dalvik bytecode loader that has tainted analysis inside but also defeats the obfuscation techniques used against reverse engineering. And surprisingly, the loader matches perfectly the design of our malware scoring system.
Quark-Engine is very easy to use and also provides flexible output formats. There are three types of output reports: detail report, call graph, and summary report. With these reports in mind, you can get an overview of the high-risk behavior inside Android within seconds.
Also, by integrating with other Android analysis tools such as Ghidra, APKLAB, Jadx, Quark-Engine can greatly improve the efficiency of reverse engineers.
- [Dependencies] - python3, git, graphviz
- [Similar tools] - MobSF
- [How to install] - https://github.com/quark-engine/quark-engine#installation
- [How to use] - https://quark-engine.readthedocs.io/en/latest/
Quark-Engine already presented at DEFCON 28 BTV, HITB Lockdown 002, and will release more features at BlackHat Asia 2021 Arsenal. Also, Quark-Engine is now integrated with many open-source tools, such as IntelOwl, BlackArch Linux, Pithus/Bazaar, and APKLAB.
We have experiences (ghidraquark, APKLab) developing a feature that when users click on one of the activities, the corresponding smali source codes are highlighted for manual verification. This boosts up the speed for malware analysts.
1. Integrating with Ghidra:
Quick demo for the quark usage with Ghidra
2. Android malware reports that using Quark-Engine to analyze:
3. Quark-Engine Rules:
4. BlackHat Asia 2021 Arsenal
5. DEFCON 28 BTV
6. HITB Lockdown 002
@kali-team, please could this be packaged up.
@author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging
||Thank you Kali Linux team for the acceptance of quark-engine, I'd love to work on the packaging.|
|2021-03-09 03:47||krnick||New Issue|
|2021-03-26 13:32||g0tmi1k||Note Added: 0014397|
|2021-03-26 13:33||g0tmi1k||Status||new => acknowledged|
|2021-03-26 13:33||g0tmi1k||Category||New Tool Requests => Queued Tool Addition|
|2021-03-26 13:33||g0tmi1k||Product Version||kali-dev =>|
|2021-03-29 07:54||krnick||Note Added: 0014403|
|2021-03-30 03:09||Erika carpenter||Issue cloned: 0007121|