View Issue Details

IDProjectCategoryView StatusLast Update
0007121Kali Linux[All Projects] Queued Tool Additionpublic2021-04-21 14:31
ReporterErika carpenter Assigned Tosbrun  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version2021.2 
Summary0007121: Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System
DescriptionQuark-Engine - An Obfuscation-Neglect Android Malware Scoring System

- [Name] - Quark-Engine
- [Version] - 21.3.1
- [Homepage] - https://github.com/quark-engine/quark-engine
- [Download] - https://github.com/quark-engine/quark-engine/releases
- [Author] - JunWei Song(krnick)
- [Licence] - GPL v3
- [Description] - Quark-Engine is a full-featured Android analysis framework written in Python for hunting threat intelligence inside the APK, DEX files. Since it is rule-based, you can use the ones built-in or customize as needed.

With ideas decoded from criminal law, Quark-Engine has its unique angles for Android analysis. We developed a Dalvik bytecode loader that has tainted analysis inside but also defeats the obfuscation techniques used against reverse engineering. And surprisingly, the loader matches perfectly the design of our malware scoring system.

Quark-Engine is very easy to use and also provides flexible output formats. There are three types of output reports: detail report, call graph, and summary report. With these reports in mind, you can get an overview of the high-risk behavior inside Android within seconds.

Also, by integrating with other Android analysis tools such as Ghidra, APKLAB, Jadx, Quark-Engine can greatly improve the efficiency of reverse engineers.

- [Dependencies] - python3, git, graphviz
- [Similar tools] - MobSF
- [How to install] - https://github.com/quark-engine/quark-engine#installation
- [How to use] - https://quark-engine.readthedocs.io/en/latest/

Quark-Engine already presented at DEFCON 28 BTV, HITB Lockdown 002, and will release more features at BlackHat Asia 2021 Arsenal. Also, Quark-Engine is now integrated with many open-source tools, such as IntelOwl, BlackArch Linux, Pithus/Bazaar, and APKLAB.

We have experiences (ghidraquark, APKLab) developing a feature that when users click on one of the activities, the corresponding smali source codes are highlighted for manual verification. This boosts up the speed for malware analysts.

Reference:

1. Integrating with Ghidra:
https://github.com/quark-engine/ghidraquark
Quick demo for the quark usage with Ghidra
https://www.youtube.com/watch?v=VXzfFB2S4bo&ab_channel=JunWeiSong

2. Android malware reports that using Quark-Engine to analyze:
https://github.com/quark-engine/quark-reports

3. Quark-Engine Rules:
https://github.com/quark-engine/quark-rules

4. BlackHat Asia 2021 Arsenal
https://www.blackhat.com/asia-21/arsenal/schedule/index.html#quark-engine-storyteller-of-android-malware-22458

5. DEFCON 28 BTV
https://www.youtube.com/watch?v=XK-yqHPnsvc&ab_channel=DEFCONConference

6. HITB Lockdown 002
https://conference.hitb.org/hitb-lockdown002/sessions/quark-engine-an-obfuscation-neglect-android-malware-scoring-system/

Relationships

has duplicate 0007082 closedsbrun Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System 

Activities

g0tmi1k

2021-03-26 13:32

administrator   ~0014404

@kali-team, please could this be packaged up.
@author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging

krnick

2021-03-29 07:54

reporter   ~0014405

Thank you Kali Linux team for the acceptance of quark-engine, I'd love to work on the packaging.

krnick

2021-04-08 03:14

reporter   ~0014437

Hello @g0tmi1k @kali-team,

I have packaged the quark-engine to Debian package in the latest release version "v21.4.3".

The .deb file could be download here:
https://github.com/quark-engine/quark-engine/releases/tag/v21.4.3

Our Debian setting directory:
https://github.com/quark-engine/quark-engine/tree/master/debian

Note:
I have checked the package list of both "androguard" and "python3-graphviz" via apt-cache search, but it still needs to manually download "androguard" and "python3-graphviz" even if I put them in debian/control.

Many thanks!

sbrun

2021-04-20 13:50

manager   ~0014472

@krnick Thanks for the Debian package.

I have uploaded in Kali quark-engine. It will be available soon.

FYI "dpkg -i quark-engine_21.4.3-0kali1_all.deb" does not install the missing dependencies even if they are listed in debian/control. That's why dpkg fails. If you use "dpkg -i" you need to run "sudo apt install -f" after to install the missing dependencies. Or you can run directly "sudo apt install ./quark-engine_21.4.3-0kali1_all.deb"

sbrun

2021-04-21 14:31

manager   ~0014473

the package is in kali-rolling

Issue History

Date Modified Username Field Change
2021-03-30 03:09 Erika carpenter New Issue
2021-03-30 03:09 Erika carpenter Issue generated from: 0007082
2021-04-08 03:14 krnick File Added: 螢幕快照 2021-04-07 下午11.26.38.png
2021-04-08 03:14 krnick File Added: 螢幕快照 2021-04-07 下午11.26.56.png
2021-04-08 03:14 krnick File Added: 螢幕快照 2021-04-08 上午11.07.45.png
2021-04-08 03:14 krnick Note Added: 0014437
2021-04-08 06:27 sbrun Assigned To => sbrun
2021-04-08 06:27 sbrun Status acknowledged => assigned
2021-04-20 13:50 sbrun Note Added: 0014472
2021-04-20 15:13 sbrun Relationship added has duplicate 0007082
2021-04-21 14:31 sbrun Status assigned => resolved
2021-04-21 14:31 sbrun Resolution open => fixed
2021-04-21 14:31 sbrun Fixed in Version => 2021.2
2021-04-21 14:31 sbrun Note Added: 0014473