The Rule generation technique is based on the idea below:
- Sort all APIs used in an APK by their usage counts.
- Separate all APIs into two groups, P(20% least usage count) and S(other 80% APIs), by the Pareto principle (20-80 rule).
- Combine $P$ and $S$ into four different phases:
- Execute the rule generation with each phase in this order: PxP -> PxS -> SxP -> SxS
The earlier the phase, the higher the value of the rule but less time spent. We can generate rules in a phased manner according to different situations. For example, under a time constraint, we can take PxP phase rules as an overview for the target APK.
Generate rules for APK with the following command:
$ quark -a <sample path> --generate-rule <generated rule directory path>
Generate rules and web editor with the following command:
$ quark -a <sample path> --generate-rule <generated rule directory path> -w <web editor file name>
And here is the simplest way for API usage:
from quark.rulegeneration import RuleGeneration # The target APK. APK_PATH = "Ahmyth.apk" # The output directory for generated rules. GENERATED_RULE_DIR = "generated_rules" generator = RuleGeneration(APK_PATH, GENERATED_RULE_DIR) generator.generate_rule(web_editor="report.html")
Web Editor Tutorial¶
Here is the demo for the rule generation web editor. You can easily review and edit generated rules with 5 steps:
- Input keywords to search rules.
- Select the generated rules you want to save.
- Edit rule information.
- Edit crime, score, and labels with the editor.
- Save the edited rule.
Radiocontrast is a Quark API that quickly generates Quark rules from a specified method. It builds up 100% matched rules by using native APIs in that method. The feature lets you easily expose the behavior of a method, just like radiocontrast.
For example, we want to know the behavior of a method called
Lahmyth/mine/king/ahmyth/CameraManager;->startUp(I)V, in Ahmyth.apk.
Here is the simplest way for Radiocontrast usage:
from quark.radiocontrast import RadioContrast # The target APK. APK_PATH = "~/apk-malware-sample/Ahmyth.apk" # The method that you want to generate rules. TARGET_METHOD = "Lahmyth/mine/king/ahmyth/CameraManager;->startUp(I)V" # The output directory for generated rules. GENERATED_RULE_DIR = "~/generated_rules" radiocontrast = RadioContrast( APK_PATH, TARGET_METHOD, GENERATED_RULE_DIR ) radiocontrast.generate_rule()
Use web editor to manage generated rules, you can define the parameter
generate_rule() as the path of output html file:
generate_rule() as the percentile number of API filter rank.
For example, if you want to keep the 20% least usage count APIs, set the percentile_rank as 0.2: