An Obfuscation-Neglect Android Malware Scoring System

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for haeter525 from gravatar.com haeter525 Avatar for ShaunDang from gravatar.com ShaunDang

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers
Report project as malware

Project description

Quark Engine HITB Armory Build Status codecov License: GPL v3 Python 3.7

An Obfuscation-Neglect Android Malware Scoring System

Quark-Engine is also bundled with BlackArch.

asciicast

Concepts

Android malware analysis engine is not a new story. Every antivirus company has their own secrets to build it. With curiosity, we develop a malware scoring system from the perspective of Taiwan Criminal Law in an easy but solid way.

We have an order theory of criminal which explains stages of committing a crime. For example, crime of murder consists of five stages, they are determined, conspiracy, preparation, start and practice. The latter the stage the more we’re sure that the crime is practiced.

According to the above principle, we developed our order theory of android malware. We develop five stages to see if the malicious activity is being practiced. They are 1. Permission requested. 2. Native API call. 3. Certain combination of native API. 4. Calling sequence of native API. 5. APIs that handle the same register. We not only define malicious activities and their stages but also develop weights and thresholds for calculating the threat level of a malware.

Malware evolved with new techniques to gain difficulties for reverse engineering. Obfuscation is one of the most commonly used techniques. In this talk, we present a Dalvik bytecode loader with the order theory of android malware to neglect certain cases of obfuscation.

Our Dalvik bytecode loader consists of functionalities such as 1. Finding cross reference and calling sequence of the native API. 2. Tracing the bytecode register. The combination of these functionalities (yes, the order theory) not only can neglect obfuscation but also match perfectly to the design of our malware scoring system.

Detail Report

This is a how we examine a real android malware (candy corn) with one single rule (crime).

$ quark -a sample/14d9f1a92dd984d6040cc41ed06e273e.apk \
                 -r rules/ \
                 --detail

Summary Report

Examine with rules.

quark -a sample/14d9f1a92dd984d6040cc41ed06e273e.apk \
               -r rules/ \
               --summary

Installation

$ git clone https://github.com/quark-engine/quark-engine.git; cd quark-engine/quark
$ pipenv install --skip-lock
$ pipenv shell

Make sure your python version is 3.7, or you could change it from Pipfile to what you have.

Usage

$ quark --help
Usage: quark [OPTIONS]

  Quark is an Obfuscation-Neglect Android Malware Scoring System

Options:
  -s, --summary         show summary report
  -d, --detail          show detail report
  -a, --apk FILE        APK file  [required]
  -r, --rule DIRECTORY  Rules folder need to be checked  [required]
  --help                Show this message and exit.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for haeter525 from gravatar.com haeter525 Avatar for ShaunDang from gravatar.com ShaunDang

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

26.3.1

26.2.1

26.1.1

25.12.1

25.11.1

25.9.1

25.8.1

25.7.1

25.6.1

25.5.1

25.4.1

25.3.1

25.2.1

25.1.1

24.12.1

24.11.2

24.11.1

24.10.1

24.9.1

24.8.1

24.7.1

24.6.1

24.5.1

24.4.1

24.2.1

23.12.1

23.9.1

23.8.1

23.7.1

23.6.1

23.5.1

23.4.1

23.3.1

23.2.1

22.12.1

22.11.1

22.10.1

22.9.1

22.7.1

22.6.1

22.5.1

22.4.1

22.3.1

22.2.1

22.1.1

21.11.2

21.11.1

21.10.2

21.8.1

21.7.2

21.7.1

21.6.3

21.6.2

21.6.1

21.5.1

21.4.3

21.4.2

21.4.1

21.3.4

21.3.3

21.3.2

21.3.1

21.2.2

21.2.1

21.1.6

21.1.5

21.1.4

21.1.3

21.1.2

21.1.1

20.12

20.11

20.8

20.4

This version

20.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

quark-engine-20.1.tar.gz (14.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

quark_engine-20.1-py3-none-any.whl (30.5 kB view details)

Uploaded Python 3

File details

Details for the file quark-engine-20.1.tar.gz.

File metadata

  • Download URL: quark-engine-20.1.tar.gz
  • Upload date:
  • Size: 14.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.1.3 requests-toolbelt/0.9.1 tqdm/4.45.0 CPython/3.7.7

File hashes

Hashes for quark-engine-20.1.tar.gz
Algorithm Hash digest
SHA256 e24110e36e192e384896526ee32a9cf36683ef8d23734a016a6feb8ca5e0c1b1
MD5 84cc58e2d23ead45e9208f434791ab23
BLAKE2b-256 e21a83fb1d61fa524ed0f47f07f7d972701d013f4f608e9252f820f047b3df7f

See more details on using hashes here.

File details

Details for the file quark_engine-20.1-py3-none-any.whl.

File metadata

  • Download URL: quark_engine-20.1-py3-none-any.whl
  • Upload date:
  • Size: 30.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.1.3 requests-toolbelt/0.9.1 tqdm/4.45.0 CPython/3.7.7

File hashes

Hashes for quark_engine-20.1-py3-none-any.whl
Algorithm Hash digest
SHA256 067abcba1cf007455465a4af2c86614a2ab85cf26aee38dd0fe0461b21cb928a
MD5 6ea1e6ebc8abc104549d15b14ff36831
BLAKE2b-256 5d56e4ebe9e23eb1dad558440a3ab67c4be9ff2366ad54f3cec8da0b5db345e3

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page