0007121: Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System - Kali Linux Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0007121	Kali Linux	Queued Tool Addition	public	2021-03-30 03:09	2021-04-21 14:31

Reporter	Erika carpenter	Assigned To	sbrun
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	resolved	Resolution	fixed
Fixed in Version	2021.2

Summary	0007121: Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System
Description	Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System [Name] - Quark-Engine [Version] - 21.3.1 [Homepage] - https://github.com/quark-engine/quark-engine [Download] - https://github.com/quark-engine/quark-engine/releases [Author] - JunWei Song(krnick) [Licence] - GPL v3 [Description] - Quark-Engine is a full-featured Android analysis framework written in Python for hunting threat intelligence inside the APK, DEX files. Since it is rule-based, you can use the ones built-in or customize as needed. With ideas decoded from criminal law, Quark-Engine has its unique angles for Android analysis. We developed a Dalvik bytecode loader that has tainted analysis inside but also defeats the obfuscation techniques used against reverse engineering. And surprisingly, the loader matches perfectly the design of our malware scoring system. Quark-Engine is very easy to use and also provides flexible output formats. There are three types of output reports: detail report, call graph, and summary report. With these reports in mind, you can get an overview of the high-risk behavior inside Android within seconds. Also, by integrating with other Android analysis tools such as Ghidra, APKLAB, Jadx, Quark-Engine can greatly improve the efficiency of reverse engineers. [Dependencies] - python3, git, graphviz [Similar tools] - MobSF [How to install] - https://github.com/quark-engine/quark-engine#installation [How to use] - https://quark-engine.readthedocs.io/en/latest/ Quark-Engine already presented at DEFCON 28 BTV, HITB Lockdown 002, and will release more features at BlackHat Asia 2021 Arsenal. Also, Quark-Engine is now integrated with many open-source tools, such as IntelOwl, BlackArch Linux, Pithus/Bazaar, and APKLAB. We have experiences (ghidraquark, APKLab) developing a feature that when users click on one of the activities, the corresponding smali source codes are highlighted for manual verification. This boosts up the speed for malware analysts. Reference: Integrating with Ghidra: https://github.com/quark-engine/ghidraquark Quick demo for the quark usage with Ghidra https://www.youtube.com/watch?v=VXzfFB2S4bo&ab_channel=JunWeiSong Android malware reports that using Quark-Engine to analyze: https://github.com/quark-engine/quark-reports Quark-Engine Rules: https://github.com/quark-engine/quark-rules BlackHat Asia 2021 Arsenal https://www.blackhat.com/asia-21/arsenal/schedule/index.html#quark-engine-storyteller-of-android-malware-22458 DEFCON 28 BTV https://www.youtube.com/watch?v=XK-yqHPnsvc&ab_channel=DEFCONConference HITB Lockdown 002 https://conference.hitb.org/hitb-lockdown002/sessions/quark-engine-an-obfuscation-neglect-android-malware-scoring-system/

g0tmi1k 2021-03-26 13:32 administrator ~0014404	@kali-team, please could this be packaged up. @author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging

krnick 2021-03-29 07:54 reporter ~0014405	Thank you Kali Linux team for the acceptance of quark-engine, I'd love to work on the packaging.

krnick 2021-04-08 03:14 reporter ~0014437	Hello @g0tmi1k @kali-team, I have packaged the quark-engine to Debian package in the latest release version "v21.4.3". The .deb file could be download here: https://github.com/quark-engine/quark-engine/releases/tag/v21.4.3 Our Debian setting directory: https://github.com/quark-engine/quark-engine/tree/master/debian Note: I have checked the package list of both "androguard" and "python3-graphviz" via apt-cache search, but it still needs to manually download "androguard" and "python3-graphviz" even if I put them in debian/control. Many thanks! 螢幕快照 2021-04-07 下午11.26.38.png (35,707 bytes) 螢幕快照 2021-04-07 下午11.26.38.png (35,707 bytes) 螢幕快照 2021-04-07 下午11.26.56.png (42,507 bytes) 螢幕快照 2021-04-07 下午11.26.56.png (42,507 bytes) 螢幕快照 2021-04-08 上午11.07.45.png (207,062 bytes) 螢幕快照 2021-04-08 上午11.07.45.png (207,062 bytes)

sbrun 2021-04-20 13:50 manager ~0014472	@krnick Thanks for the Debian package. I have uploaded in Kali quark-engine. It will be available soon. FYI "dpkg -i quark-engine_21.4.3-0kali1_all.deb" does not install the missing dependencies even if they are listed in debian/control. That's why dpkg fails. If you use "dpkg -i" you need to run "sudo apt install -f" after to install the missing dependencies. Or you can run directly "sudo apt install ./quark-engine_21.4.3-0kali1_all.deb"

sbrun 2021-04-21 14:31 manager ~0014473	the package is in kali-rolling

Date Modified	Username	Field	Change
2021-03-30 03:09	Erika carpenter	New Issue
2021-03-30 03:09	Erika carpenter	Issue generated from: 0007082
2021-04-08 03:14	krnick	File Added: 螢幕快照 2021-04-07 下午11.26.38.png
2021-04-08 03:14	krnick	File Added: 螢幕快照 2021-04-07 下午11.26.56.png
2021-04-08 03:14	krnick	File Added: 螢幕快照 2021-04-08 上午11.07.45.png
2021-04-08 03:14	krnick	Note Added: 0014437
2021-04-08 06:27	sbrun	Assigned To	=> sbrun
2021-04-08 06:27	sbrun	Status	acknowledged => assigned
2021-04-20 13:50	sbrun	Note Added: 0014472
2021-04-20 15:13	sbrun	Relationship added	has duplicate 0007082
2021-04-21 14:31	sbrun	Status	assigned => resolved
2021-04-21 14:31	sbrun	Resolution	open => fixed
2021-04-21 14:31	sbrun	Fixed in Version	=> 2021.2
2021-04-21 14:31	sbrun	Note Added: 0014473