########### Quark Rules ########### New Quark Rules For DroidKungFu =============================== New Quark rules (#00212 - #00233) are now available. These rules target `DroidKungFu `__, a malware family that gains unlimited access to a device, installs and uninstalls Apps, and forwards confidential data. Check `here `__ for the rule details. With these rules, Quark is now able to identify the DroidKungFu malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Check :ref:`here ` for the APKs we tested. Below is a summary report of a DroidKungFu sample (``D277C97B1A8A78F859672B4A20E74B3313E9F964E68A6E857C1E9D33763434A5``). The report shows that Quark identified the sample as **high-risk** and provided a list of the sample's behaviors. .. image:: https://cdn.imgpile.com/f/dna1NWm_xl.png Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's :ref:`rule classification ` feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from DroidKungFu, as shown below. **1. Gain unlimited access to a device** .. image:: https://cdn.imgpile.com/f/4nCi9mL_xl.png The diagram shows that the ``Lcom/google/update/UpdateService;getPermission2`` function runs shell scripts and Linux commands directly, and also calls the ``Lcom/google/update/Utils;oldrun`` function to execute additional commands. Behaviors detected by Quark: * Run shell script (#00069) * Execute Linux commands (#00068, #00155) **2. Install/Uninstall additional apps** .. image:: https://cdn.imgpile.com/f/jpAr3Tm_xl.png The diagram shows that the ``Lcom/waps/k;a`` function installs APKs from a file, and calls the ``Lcom/waps/l;a`` function to install more APKs and the ``Lcom/waps/k;b`` function to connect to a URL. Behaviors detected by Quark: * Install other APKs from file (#00054) * Connect to a URL and set request method (#00096) **3. Forward confidential data** .. image:: https://cdn.imgpile.com/f/TsURgyN_xl.png The diagram shows that the ``Lcom/madhouse/android/ads/_;_`` function queries confidential data such as SMS and call logs and also calls the ``Lcom/madhouse/android/ads/_;__`` function to check for network connectivity. Behaviors detected by Quark: * Query confidential data (#00077, #00219, #00221) * Check for network connectivity (#00224, #00226) .. _list-of-tested-apks-droidkungfu: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-----+----------------------------------------------------------------+ | in | sha256 | | dex | | +=====+================================================================+ | 1 | 27 | | | A63D6412B3459E821D88A8EF133727B8DDA99262CEC71C9989EC28E394F173 | +-----+----------------------------------------------------------------+ | 2 | C3 | | | B0FF9C168FCDB02573AF741FC1E9B9E3EEA993A5407CFCF0BB29E0800760BE | +-----+----------------------------------------------------------------+ | 3 | E1 | | | 0A9E9A5758F04975FFE930AF08A339B897FF72DF85BE1707184C697C0E954F | +-----+----------------------------------------------------------------+ | 4 | 2C | | | 6B542B30C644BE1840E38EB8ED4592B671E4734C08FE57B315B92299B23A4A | +-----+----------------------------------------------------------------+ | 5 | 1E | | | C91FF1EA8ACCBC4181F3DF94C6A285013EC7A7D60467DEB9250E7681F4B73C | +-----+----------------------------------------------------------------+ | 6 | 20 | | | 639CFB1369F3D490ED532FE30E294ED4058B7D67C426484D7028B7B2B165E5 | +-----+----------------------------------------------------------------+ | 7 | 5F | | | 7A40015A1F3F42802424EC776799F5E0960F19E9BF8C86298AA5CFAC116BF6 | +-----+----------------------------------------------------------------+ | 8 | E2 | | | BC4E09BA57740C17F033F6B116EC0316771EF8C1DCB99145EEAC17F15FF2FA | +-----+----------------------------------------------------------------+ | 9 | 7F | | | 027D19AD8FCD2F4C6A6C74742DED6D1D7758FCD72BDD8B5590053BE65A1D2D | +-----+----------------------------------------------------------------+ | 10 | 21 | | | D4EB1ADA6CA0925AB8E21D30BFF8A40E88BC60773700B003C048BF8619E75E | +-----+----------------------------------------------------------------+ | 11 | 73 | | | A27FCF9FDE6D7EBC39F4995BD7DAA4F433C37314C0016D75C50CC39AE7A785 | +-----+----------------------------------------------------------------+ | 12 | 4E | | | A68DEB209A29ED0B1FA7F7555006DEC050D8F77CF5820B550E32E5A6F6F88C | +-----+----------------------------------------------------------------+ | 13 | E6 | | | 440A1AB96884C44250F2DB53618FC6762DD13EEBC59D1095F1E188D40C68E4 | +-----+----------------------------------------------------------------+ | 14 | C1 | | | 7D0979882468CCC26FDE81F5C6F0DDFB602F9AB9D3C92AC355C8D87A585380 | +-----+----------------------------------------------------------------+ | 15 | 47 | | | 7C68553FF88F831026E8842FE99FE14B2DDF08821A0CA3072B7EDBC872A292 | +-----+----------------------------------------------------------------+ | 16 | B4 | | | 098AE6205E3808A6B79495B2027452A7B8191200402F8BA32DBA0EAB21EA99 | +-----+----------------------------------------------------------------+ | 17 | 39 | | | 3456E6368079F36DC0CEA861361F976A5CD6A3191B69E49CFD6BF4692DC57E | +-----+----------------------------------------------------------------+ | 18 | 16 | | | A0C217F26C948D683B515CBB9E06CC0AAC422A951CE9E9E532D7A571152D2F | +-----+----------------------------------------------------------------+ | 19 | D2 | | | 77C97B1A8A78F859672B4A20E74B3313E9F964E68A6E857C1E9D33763434A5 | +-----+----------------------------------------------------------------+ | 20 | 51 | | | BFB82709E927D65770E5C59AB6EB96B73B19525E127F60A25831CD2B8AEE82 | +-----+----------------------------------------------------------------+ | 21 | C0 | | | 8539123E1F40439E0DB7DDEEDD6BF6B079AB5E62B2208E22884B28306C1CCA | +-----+----------------------------------------------------------------+ | 22 | 15 | | | D1FDC4B27509DF6D31F851675D03A21939A165B2011BFE0DB5EEA69BBB6B3D | +-----+----------------------------------------------------------------+ | 23 | 94 | | | BC85F5458E313AA138C9F4E4B8ED3AB8642694A07427B80441B8A538EC462C | +-----+----------------------------------------------------------------+ | 24 | 41 | | | DD548C530516448CB6A28DA67407725163F9620D92A35F8735FA4135ECC0A2 | +-----+----------------------------------------------------------------+ | 25 | A8 | | | 7C8FE4D821CB2B15FB4E1ADDF63E88DE7D09D37178A910C9221EA979C16F81 | +-----+----------------------------------------------------------------+ | 26 | 3B | | | 736A91DCA7AE8608C2174AD589400D3FD5FAE55A395920841A49EB10657A37 | +-----+----------------------------------------------------------------+ | 27 | 80 | | | 0A8CFF0C559C9478E6941B5E0B30E3848E8A0F9246C8E0C1A34A1459288D68 | +-----+----------------------------------------------------------------+ | 28 | BE | | | DF51A5732D94C173BCD8ED918333954F5A78307C2A2F064B97B43278330F54 | +-----+----------------------------------------------------------------+ | 29 | E2 | | | 0D4994C8A13854CD835919F5620A9B6217AC444016F9E97C3E9C3464E2F5CB | +-----+----------------------------------------------------------------+ | 30 | AB | | | 0A824F00E4AEE68A17DAD86182B6FFE83D6D7D07D572D31183CF4A8C1723DA | +-----+----------------------------------------------------------------+ | 31 | AE | | | BB5050F17588F0D3936B1B13BF7DCD856A7ACD8DB107C4853E7A9058D2A0CA | +-----+----------------------------------------------------------------+ | 32 | AF | | | 33315DFBF3ED5A0D28E8ED03A79D20C3B77B16129CCA9439BB4CBDDCA076E2 | +-----+----------------------------------------------------------------+ | 33 | 0A | | | E6CECB96E4515F4536EFC711D583A447FFFDF2BCD4E04D2F4A0347F63E40EA | +-----+----------------------------------------------------------------+ | 34 | 3C | | | 81C9DF7CE0F94918CD0B833B070DFBBCEACF8688824AFBC6344E975EDFEB24 | +-----+----------------------------------------------------------------+ | 35 | C5 | | | C508FD88D058F5E2B3ABC2A066C52C1FAFB148F27000C47DA859945F771512 | +-----+----------------------------------------------------------------+ | 36 | FE | | | 98A9B6D1ACF4E2B52CAF0015E90B9FAB856B0C0AA581D526F3D2951B2F7904 | +-----+----------------------------------------------------------------+ | 37 | BA | | | 949E090EAB02005F9B1823B59AA4329017EA2441E81734F4827B3822C9704E | +-----+----------------------------------------------------------------+ | 38 | B6 | | | BF9FACFA89990ADF7F01D561875AC54D7577CA351D0C23D69B5E83E376963E | +-----+----------------------------------------------------------------+ | 39 | 2A | | | 93EB58C737572DD375A36F8A5397140C815DCAE05DC80DAFAAD4B3981A91B6 | +-----+----------------------------------------------------------------+ | 40 | D2 | | | E2396D8F6052E551E84CC69A97DB7D3D08DF9B3AA40C0070A7CE96B33622C8 | +-----+----------------------------------------------------------------+ | 41 | 25 | | | BE589140F73949124F08759AB5BB57B126396F1401E3BFBFDC5E5C056E0D03 | +-----+----------------------------------------------------------------+ | 42 | 41 | | | BD9843692B7421B2FBCEAC3C2F6AF3CE9C92339C10D43898E7E072B8E28BE3 | +-----+----------------------------------------------------------------+ | 43 | 3A | | | C65392A5E371D1FF5C7A2CBF580A4F3C2A5B36E11C01601D6B38D715C2A74B | +-----+----------------------------------------------------------------+ | 44 | 5D | | | 3A915B34D0925B9EA4A7E33E8E70A428B22CE57CD17CFB20DF37F463502B82 | +-----+----------------------------------------------------------------+ | 45 | 94 | | | A96E66ABC0ACEF751AF0C2140AE7CAD05E434609EB56FE6A6E6602FFE3E4B9 | +-----+----------------------------------------------------------------+ | 46 | 67 | | | E794151DD32338E0B1935A77ACA5B9A8D87C12C7A088326C2E9F2FFF048279 | +-----+----------------------------------------------------------------+ | 47 | 40 | | | BA6610360FFFE5BAFEE8504751C78B5AF3B913DA1C2D4AE97AEEA156E5510B | +-----+----------------------------------------------------------------+ | 48 | 19 | | | 7041741B0DD2FACE3C01A2FE82AC697A6B6B801B7DC2D3579DA7BBF56ACD73 | +-----+----------------------------------------------------------------+ | 49 | 8C | | | 5130774E5F1E8F6A0A16281A5AF22C5AC1FCD46DE907667714760ECB76F7EC | +-----+----------------------------------------------------------------+ | 50 | 86 | | | FDE6F59EF9A8F762AF7BB62DFC4467CA9BD3ACC63E50E5AB78A7B4487ED70D | +-----+----------------------------------------------------------------+ | 51 | 0B | | | 33469936791DB785E8546BB752AA75DE4C3227293A4237249DBD05FC12D039 | +-----+----------------------------------------------------------------+ | 52 | 25 | | | 061C50965D05E98E409E3A07FE4CE4825A9DACFF46A79FE57EDA7BFD184DEA | +-----+----------------------------------------------------------------+ | 53 | D2 | | | 187491BAD25E07B6817CDD3F044466B8FE2BE63D255DA2FE7CA58E8C8C6321 | +-----+----------------------------------------------------------------+ | 54 | 44 | | | 6A635890947E7956D5E8DD10C758A733144D573528153D6F5AFD0DD038BFC4 | +-----+----------------------------------------------------------------+ | 55 | DB | | | 104CAC9471650E5E5AF54E14C80F6247E16923E78E41DFAEED42F28CF5C523 | +-----+----------------------------------------------------------------+ | 56 | 42 | | | 69E9F03F43D82DF992B417E961554CAECB80D06CA3B0C1B847A09FD257901F | +-----+----------------------------------------------------------------+ | 57 | C3 | | | 1BC398066441E6FDB5F98EE6A4529D6F51925F4951EA679C028E50D0CAD950 | +-----+----------------------------------------------------------------+ | 58 | EC | | | 6212709ED75DEFC848626D2888B685AEAFC4FFD655AD830557F9994E8995F3 | +-----+----------------------------------------------------------------+ | 59 | 66 | | | BB9310F7063CC3B12F803D2C809C1DB46AB29F229599BE81728C432C208C9F | +-----+----------------------------------------------------------------+ | 60 | BA | | | A24D27A78F0641ACF806BD03722AA47F1DCBC42F1CCA04B14B0118E398F94A | +-----+----------------------------------------------------------------+ | 61 | AC | | | 5E59080E8E951AA5C62038D606E2BD3F8A20C0552F8E1B326B407D4BDCAA15 | +-----+----------------------------------------------------------------+ | 62 | 82 | | | 3EE1A0F81C0067F804B3F2497E8268A677C76D90DDD261A910CFE8D116897D | +-----+----------------------------------------------------------------+ | 63 | F3 | | | F52121296119FF32C334075EA80B74495FDE648A7204BED66268B285FBF199 | +-----+----------------------------------------------------------------+ | 64 | 0D | | | 9CB8010681D5F35969FB84F96FFCC53DD0B37AEE62F522C2972BEBF2759F02 | +-----+----------------------------------------------------------------+ | 65 | 03 | | | 259A1228E3AD616F10C2370B8C142A8D20132505FBC5CDB5137322A8A03FC6 | +-----+----------------------------------------------------------------+ | 66 | 8C | | | B684F1C8FDA8D16E9399F9B75AE1972888BA4398EEE1A7BAAB311DAEAD5F0E | +-----+----------------------------------------------------------------+ | 67 | 27 | | | B02028221B1AE647BD749EF916AC4D0AD39BA3C961ECD1AE37DF7988488225 | +-----+----------------------------------------------------------------+ | 68 | 56 | | | 628C603FDB1F33FDB8E53D796919F5385A9BAC31E3217A20F2E7531543CBD2 | +-----+----------------------------------------------------------------+ | 69 | 00 | | | 621E015191863041E78726B863B7E1374B17FDA690367878D1272B0E44B232 | +-----+----------------------------------------------------------------+ | 70 | 4D | | | 62CFEE89DFC4451BDA6FC9E6C09189B6BAD089E2E97E36084FD0E910363D76 | +-----+----------------------------------------------------------------+ | 71 | 04 | | | 9D5D5E6DDA98F512E0A9FD2D8E3299BB16ADFB63D95033ED6A839588D14425 | +-----+----------------------------------------------------------------+ | 72 | 64 | | | AB7A8E612D8D60C1C4CC8CE1B4ACE4AAFCEC7E1F5239894F2B214B094FA1B1 | +-----+----------------------------------------------------------------+ | 73 | 3E | | | 38E7FF5776548DA0FA1AFF91B364B338D5D7D51E6CB4E3ABFE2FF4B9BF985A | +-----+----------------------------------------------------------------+ | 74 | 3E | | | BB4C2BC959080EB9BA2328D10610B59E77892667F8CC5794479F0625E283EC | +-----+----------------------------------------------------------------+ | 75 | 4D | | | C7570244C38A690BCA52A8DA1B9108C7A0EE214FBC0A972725D43C8C78FA9A | +-----+----------------------------------------------------------------+ | 76 | EB | | | 2F047FE3AEA452F1867EC57FAE2E4E853652FE9CBABDD995A11C6FEC0D6500 | +-----+----------------------------------------------------------------+ | 77 | 1B | | | 7F0C198CB2278218B177F79F16D8C8CE9D7E46E2E65D2B6ACD61A3BA8C455A | +-----+----------------------------------------------------------------+ | 78 | 8E | | | 6DFA5676DAD428FD3BB767D33B74920D4B3E5D51821A1501D0ADC35B834A50 | +-----+----------------------------------------------------------------+ | 79 | 24 | | | CCB1BF995EEE442CC4BB86828795BEB0043CA5BF694B3765FBBDA7F69F4E40 | +-----+----------------------------------------------------------------+ | 80 | E7 | | | 0FB0052314184463A9F7D194DEE438FA381C6584B8009F178785E0E8CC5D66 | +-----+----------------------------------------------------------------+ | 81 | BA | | | F7340F3F1FD943A0A0E79FF59CAD5362D1BA45F05EB172A6730455F8CD55FA | +-----+----------------------------------------------------------------+ | 82 | CD | | | 3AF68A6C2D93D0261962F50F8DBBB9D72BF952A88414B33DDA49C613DBD8B5 | +-----+----------------------------------------------------------------+ | 83 | BA | | | 14BC0202CF321F4368E0DEE08E67CC7B55AC3A03AAF1726E03C4CC0AB44F02 | +-----+----------------------------------------------------------------+ | 84 | 05 | | | C68734C04460DFF87618C0065457788EDCAD84C23F32113B156A963290D917 | +-----+----------------------------------------------------------------+ | 85 | 09 | | | B952BB0E499EA71E042F6984E6E7632FE1B2F646E212E16468B54A7D0E4253 | +-----+----------------------------------------------------------------+ | 86 | 70 | | | 3B9C40116A1AF70522933D25B72E85863EF177F937B28CE82C048928C83379 | +-----+----------------------------------------------------------------+ | 87 | 97 | | | CE153A87917E46907CE3C43328FA398BADA713ADF9DF7A756174EE8C7F50E5 | +-----+----------------------------------------------------------------+ | 88 | A5 | | | 706AD49019EF9671242437834A492170F6DDBBD11DF2BE8D0C7F0477530CBE | +-----+----------------------------------------------------------------+ | 89 | 4F | | | FF4F4F98197ACD4A943ACEDE362D4C64F9D20EE5E64F7D0F4E66F3DD08FBBC | +-----+----------------------------------------------------------------+ | 90 | 54 | | | F84DBB2A95A53AF72E7346CBE139BDEA1759C92C50AD202B66E8F6D548D876 | +-----+----------------------------------------------------------------+ | 91 | 93 | | | BC7CAE3DC7ECAFB01A9D136A7D24E280673F7DDE1B30F545E1FE2646E8A66C | +-----+----------------------------------------------------------------+ | 92 | 66 | | | ACC04320B125B0974DF859850C1A5B2B9C2B58768CBAB83A93BA955FA9287F | +-----+----------------------------------------------------------------+ | 93 | C5 | | | EA7E9101DCE70C56A0F48B622FCFF619D615F5034B15D21BDB7F40B74602CF | +-----+----------------------------------------------------------------+ | 94 | 14 | | | F44E244274BF9A698960DAA82D98D3FD66AC7E8FE6F7F9916F164E468C30A7 | +-----+----------------------------------------------------------------+ | 95 | 0F | | | 2931043C240C14DE48C7A6630752474C3FE5A87A5113F13851CFE8D14754DC | +-----+----------------------------------------------------------------+ | 96 | 1C | | | 5A89EB4638229DD8DC6D4F55BCAC8D565D2FEF20F6BEFE52270D50973B6151 | +-----+----------------------------------------------------------------+ | 97 | A1 | | | F98073B0D39B6E3A981D7DB2C528CC9B88A4CC207350F4467916F265D0244F | +-----+----------------------------------------------------------------+ | 98 | A1 | | | 28DE003C61B08C439F181253A5C8882DE1C48F517B0B0BF6B18614D11E2674 | +-----+----------------------------------------------------------------+ | 99 | D6 | | | 95B7310BED20E3AE00C0C4754039C3BB095062F4D746897BDF417444F454C9 | +-----+----------------------------------------------------------------+ | 100 | F5 | | | 2BD07D3457B69720C9A54BE5730545BFCC80269BE749FACA723906A303AD33 | +-----+----------------------------------------------------------------+ | 101 | B4 | | | 524506739CBF40D3C823D716FA2DEB9ACE38C199CF0F7661FE8DDF688953E6 | +-----+----------------------------------------------------------------+ | 102 | 43 | | | 567A80FB8122F77E1CF72CFD898A6B9BFDC18F27EBE716C444143E03630200 | +-----+----------------------------------------------------------------+ | 103 | 22 | | | 20A2EBB3068D1C912189CA6F8E89D0E63836E40A75F5E5C2B7B99A498E7CBA | +-----+----------------------------------------------------------------+ | 104 | E5 | | | 8BF56343D6A44B0D863534426109B348673C76EC433BF310E638F34EB786B7 | +-----+----------------------------------------------------------------+ | 105 | 30 | | | 866091584856AC8A7F353172C3D9B0643602F351BE56BA92B4AB2DFD68230D | +-----+----------------------------------------------------------------+ | 106 | 1E | | | 1D93EDC231E7F2FAE9ABB825640E803137A1A672B9D5E93BDFA6D7E8F57DCE | +-----+----------------------------------------------------------------+ | 107 | 3D | | | 210599B3EE6C84D9D8FCB236C02394D24974EE3E0FE2D03B013D538E611CE1 | +-----+----------------------------------------------------------------+ | 108 | 51 | | | 07DEDE507180C8458C4E5F87E27F580521F365A54D9E71286ACF0E54DB9E1E | +-----+----------------------------------------------------------------+ | 109 | 5D | | | 5624B266E294C0DC7673D2FB8E126EC559D37CEC74C5508D8E6674377EF107 | +-----+----------------------------------------------------------------+ | 110 | DA | | | 2EE0B84AC470986543ACCA1F4C51DEF534D23F04E39F0DD85CCCBA45232738 | +-----+----------------------------------------------------------------+ | 111 | 72 | | | 865ADB5BAFDA646F6F60834E0462E1626C88F075E4161F3CE0EBF217D6C4CB | +-----+----------------------------------------------------------------+ | 112 | 8E | | | A992D99898B26E014F82C475F605D90BF0828CFE244922197020B62147B55C | +-----+----------------------------------------------------------------+ | 113 | 45 | | | 36BF0914B3D76047AEB6EA92F21D0CB7561F68DAE870DB3F6DE9FD7420B785 | +-----+----------------------------------------------------------------+ | 114 | CA | | | 8EB1155C2F5B33822B906F2255CDEAC0EEAD86A58F151C11BD5003458CFCA1 | +-----+----------------------------------------------------------------+ | 115 | 00 | | | 1E0F67B5BB9DDAB14FACBEF94791EAED0EB939BCB651D19DAFD0E2A05D8178 | +-----+----------------------------------------------------------------+ | 116 | 37 | | | C1F16781B2399019AAF2525834ADFE00592F1C62D07D1B0C91A40E11D1B80C | +-----+----------------------------------------------------------------+ | 117 | F1 | | | 57946D3868FBE013EC23B14F1097BB727654B4F3926322F035E86E3F5F637E | +-----+----------------------------------------------------------------+ | 118 | E9 | | | 484114F77952ECE8234927BCC865886938C41F4F4657741F01B22A214E10FA | +-----+----------------------------------------------------------------+ | 119 | B0 | | | CCDE6A945212ED23F3E85CD861D73A42A98C53D63237CD3C0EB67DDA57BDBC | +-----+----------------------------------------------------------------+ | 120 | C9 | | | 07757169BBE2A5FA05080B75E5E273F0EF02B06552BF4DF3C386096FEFDD20 | +-----+----------------------------------------------------------------+ | 121 | 0F | | | A18A95361BBF4413A9B734B540F52C6BD2411090DEC4D7E3DB6708FEDC68AE | +-----+----------------------------------------------------------------+ | 122 | 6E | | | D52331A788EF18727C8E34746B59DB81ACDB261659934BE63B0266FB7C19E7 | +-----+----------------------------------------------------------------+ | 123 | BC | | | E128DBE9A75CCADE50ECAD2E52499F67E58479ECD69861B3D117984DF47136 | +-----+----------------------------------------------------------------+ | 124 | AB | | | 4B4D65A4C7CB3AAFBB7E6630830393D43E619881DA76EE06760466FB79E894 | +-----+----------------------------------------------------------------+ | 125 | 87 | | | 7BBED1EC7BA716D70754F6F015C950217FA16F6EA70833B0196C7C560B8239 | +-----+----------------------------------------------------------------+ | 126 | 00 | | | 15AE7C27688D45F79170DCEA16131CE557912A1A0C5F3B6B0465EE0774A452 | +-----+----------------------------------------------------------------+ | 127 | B2 | | | 4B268C7C9574BB5FFA48C239F77089BD14BA3EA8B6DDE3DA42958569477D01 | +-----+----------------------------------------------------------------+ | 128 | 38 | | | 070B4D027E0256E6B8538384E374E14D7F8006920A60E9BB9238CD45855CC6 | +-----+----------------------------------------------------------------+ | 129 | 7B | | | 5338E1E7BF8B4816B821DB9ED042ED13CE4F8EBD1748BA9788B070E45BF03D | +-----+----------------------------------------------------------------+ | 130 | 4F | | | 1CBB091DCDE0CD0E8FE0D4BD27134750BAC6711029E0A37179832AD3698EA9 | +-----+----------------------------------------------------------------+ | 131 | E2 | | | 6656A75FB347F317ACC7A670F8D16DD4C4433691443A77B46C84B9E3A0FB66 | +-----+----------------------------------------------------------------+ | 132 | B9 | | | 0564F3809FC8B0B0CE1CBC53DBFF6C6A293BCFCC5EF7821E28BF87262FB9FD | +-----+----------------------------------------------------------------+ | 133 | EE | | | 21782BF346B26411CB00CA83F91AA18C01CF67086D500E66672A0DE046FFAD | +-----+----------------------------------------------------------------+ | 134 | 24 | | | 2A0048497BCBDEB4D1A5A43DF08E492BFD42B0B85FF63B2C2A49AD5EA50829 | +-----+----------------------------------------------------------------+ | 135 | 53 | | | 702B51E102AC3AD7C859019B8640B88D65B3D6008825ACA2D1FCB80B2FA845 | +-----+----------------------------------------------------------------+ | 136 | FA | | | E5B82A8DDD7C6EA2B417711E7D0FF8EE02244B7FF9980BCDADFB940EC85096 | +-----+----------------------------------------------------------------+ | 137 | 0F | | | CE8643A036D954E75ECA205B2EBA45629C999AA13ABF8896B4BBC07B0BCFA7 | +-----+----------------------------------------------------------------+ | 138 | D3 | | | 4E040FD052963C9348B8AF50B415419216BE1A00DBF25C7F7B86545EF84C7C | +-----+----------------------------------------------------------------+ | 139 | 9C | | | 6724919CAF4DC134AACF828A62663084DDCD6459FD1249DF36BCFFC7EF2EBB | +-----+----------------------------------------------------------------+ | 140 | 91 | | | 84D161D1931A58CFA091569CDE481FCC87AA3A4D32C24622A29EAEA5FC3EEE | +-----+----------------------------------------------------------------+ | 141 | C9 | | | 2E7ABD460FF39CB41709416959366739B08006DC2EEA05E367981F9578E6B0 | +-----+----------------------------------------------------------------+ | 142 | B3 | | | 27C0BBB16C9ADCD566877AC29DC0B0EDCFF9E654DAD66C514B19877A45B6C8 | +-----+----------------------------------------------------------------+ | 143 | 62 | | | 923018BFCFB2AD1F05EDE135024EDBBADB20DFF9F816EC3F846B2900636ACF | +-----+----------------------------------------------------------------+ | 144 | 2B | | | AF6E70672789096752383F0DFDA9774A3FEF55CD64C5AD7FE5CE02F4BEB8FB | +-----+----------------------------------------------------------------+ | 145 | 72 | | | E6AE9CD081F8D38488CF4077F66DB0F97CEF486A60EB38C593BA82DB77ECD8 | +-----+----------------------------------------------------------------+ | 146 | F6 | | | EB0EB6FDBB4A1615050F59EB6FAE8F999824E5D65CE1A437761FE7BE4B8215 | +-----+----------------------------------------------------------------+ | 147 | F7 | | | B038B441E051B3BCC6F40964C215F61A3A226EF3A1B8D58A36E135115DBCFE | +-----+----------------------------------------------------------------+ | 148 | 73 | | | 5F5724975302D23C7CCB6F69C0AB4C64F3E63AF38E828E302DCE79FB08593A | +-----+----------------------------------------------------------------+ | 149 | 80 | | | 612FE193401626268553C54A865E67B76311E782005EDE2BA7A87A5D637420 | +-----+----------------------------------------------------------------+ | 150 | 93 | | | 8EFB5BDC96D353B28AF57DA2021B6A3C5A64452067059BF50D7FB7C7A66426 | +-----+----------------------------------------------------------------+ | 151 | 84 | | | C7A452E72ABC4EAA51AD8F3569A6E10365804A963FA61C034FD1F3DC846957 | +-----+----------------------------------------------------------------+ | 152 | 07 | | | FEAA0E04E56CB3CCD06FD7902A9D9CEC48DFD901BD6D5E07ADE81448DCC5D6 | +-----+----------------------------------------------------------------+ | 153 | 64 | | | 47ED2ABE5AB3827C519BC1EB732159FFE284BE73B8780F294F562996DC9C47 | +-----+----------------------------------------------------------------+ | 154 | 51 | | | 37EDD9FA6E73BE3B5C14C50FAF0B6602C7A155E30A931D2A98B31AC1E021C9 | +-----+----------------------------------------------------------------+ | 155 | 53 | | | B1523A8F52D3C924043B93AC44FB96F2D496D1C054D873E62B5BC9644B1B52 | +-----+----------------------------------------------------------------+ | 156 | D7 | | | D47ABC80CDBC7D0AEDF9B8E863E28F0B79CA47D71155A3D364EF096DF98D7E | +-----+----------------------------------------------------------------+ | 157 | AC | | | 48E0526730A611D363AE5DBFD2F3AA4296BD71C66E13B9DB3D272B754EDCD9 | +-----+----------------------------------------------------------------+ | 158 | 42 | | | 2B2A9F8547E4239E1BB508359872C6365B42ECC460C82A0FABAC04F2E44808 | +-----+----------------------------------------------------------------+ | 159 | 7D | | | 4FD317B9E19AF2BBC5B707C3CCCA5D504B11371D10E3CBAF0AB4E56D0ACAB0 | +-----+----------------------------------------------------------------+ | 160 | D5 | | | C60074995C0AA0842AEF02269C8567F8B59902E4AADB865C69CB3738D9051F | +-----+----------------------------------------------------------------+ | 161 | C8 | | | B6CC0BA9DDD2206FD35AA3AD379B169DEBFE223A0EE0E5AA28DA1AA683343C | +-----+----------------------------------------------------------------+ | 162 | 92 | | | 1F76D6153E86E480A1FE309A19DA4F75B85BC3F85F3826694977CD2046F0A3 | +-----+----------------------------------------------------------------+ | 163 | C7 | | | C46F7E5F58B1E6912BC0638475840741CAED5685AF0AB6B563A637B92D41A3 | +-----+----------------------------------------------------------------+ | 164 | 37 | | | D382FAAFCAAD6F8BF5DA383CB8703B7094A045AEAC5E13B5F4225C6272A615 | +-----+----------------------------------------------------------------+ | 165 | 65 | | | CEFD92274FB4AF9F33728F8759A6BE835C7550B96EDAB798787CBB8EC95FB3 | +-----+----------------------------------------------------------------+ | 166 | 28 | | | 7E705784FE12335E9355C20F8BC8072A7A6A87DEA751CE471CCE37D426E9F0 | +-----+----------------------------------------------------------------+ | 167 | AE | | | F39A6FAEB83695C7D97B93E6BC550D0AED93EFE886E651A1610DD8B2ED013A | +-----+----------------------------------------------------------------+ | 168 | CB | | | D9BA3E8D82F9D475C81BC3C057C19869810B2CD47E6EDBF392B4A7612F8239 | +-----+----------------------------------------------------------------+ | 169 | 51 | | | F16E4D41EC420E8520220D44B0088C81619014896BE524F411B718E730A33F | +-----+----------------------------------------------------------------+ | 170 | CF | | | 997FE5C0AB00EA447EE13F7DEEC8E97EFE412F65355448F04565A1F7AC0E72 | +-----+----------------------------------------------------------------+ | 171 | E4 | | | EB02B2D64D33E4C0536406BFC9A6D8FCC6B5237642D92333EE3E089BD82723 | +-----+----------------------------------------------------------------+ | 172 | 5B | | | 8D52ABE9FA8E849A89CF87F90CB07E77BB429E0FE5F518873C8B26EE231A87 | +-----+----------------------------------------------------------------+ | 173 | C9 | | | 6029C4F9777C9D521249EE1AC27F75C2350614C361469D0C7B3F8124DA3E14 | +-----+----------------------------------------------------------------+ | 174 | A0 | | | E3891E0790A9EC38EA05BCC0EA7067E98CED68DBCAFEE10A5F73D560A97B17 | +-----+----------------------------------------------------------------+ | 175 | FD | | | ED1EC2D17F957B230FEB5FFF518EC98322A1617E4E28953FF38270CB16098A | +-----+----------------------------------------------------------------+ | 176 | EB | | | E06DFB790CCEC41432637C593139E6C813AF0BA0F1366FF9FF12F8DD89AD40 | +-----+----------------------------------------------------------------+ | 177 | 2D | | | 2C183A82B5F13E458946DEFA3D2DC361B6FBB1321FE0535DAB40FCA4B7C272 | +-----+----------------------------------------------------------------+ | 178 | A6 | | | 291A63E3B4E8E3B58E96DB2A98BA918E674B21B3483EC0A69DA5C5594390D8 | +-----+----------------------------------------------------------------+ | 179 | C7 | | | BE73CAC9A130F487490E98B811F707492F92EEB989D75681F113FC7B184F95 | +-----+----------------------------------------------------------------+ | 180 | 35 | | | CEFBC2F7DB302E881DAEBB572093D721E3E94CDDEC465B6F08877095B572BD | +-----+----------------------------------------------------------------+ | 181 | 6E | | | 417844E162251228B6305C70ACC481F423036C6F14DA753F8C591F115EA8E0 | +-----+----------------------------------------------------------------+ | 182 | 58 | | | 96A3D47B5CEEAAD8C69D9811C79438233EF78E042EBEEFF807C69B6EE63FB2 | +-----+----------------------------------------------------------------+ | 183 | 3A | | | 867B8D991A3125CA3ED27E2F0D6568277AEC1CD15A0D8F9201981F4A5EEC6D | +-----+----------------------------------------------------------------+ | 184 | D0 | | | F06064FD7C105AFB139A30010104E1FE4A41A0967E450F9509ED7AA793AA1A | +-----+----------------------------------------------------------------+ | 185 | F1 | | | 9B3B007B54813C8395F826D76ABB6C7573286D9866ECF1F71CBBB75C12BF04 | +-----+----------------------------------------------------------------+ | 186 | EF | | | 2B268D4FF17708D1D01E363CB486E7AA83616AB595434535CFB33BE0F716C4 | +-----+----------------------------------------------------------------+ | 187 | E1 | | | 16D6C8F922AE101D2AF721AF3D183DD12D47A167312266E54C02F8B5AE53E3 | +-----+----------------------------------------------------------------+ | 188 | C7 | | | EE00F75D464EFE63FBF3998517B171AA296DBD3254E95DF25BC579F8517AA2 | +-----+----------------------------------------------------------------+ | 189 | 4D | | | 920F5202A33EBD9BBAFD73E11D5D222D4B8E0D50C11BC9B8B5F4E291F7C8E1 | +-----+----------------------------------------------------------------+ | 190 | 02 | | | E112947AA19A577FD9D825531BD74797BBF5825A74E9918D4027BBD24BB49B | +-----+----------------------------------------------------------------+ | 191 | 9A | | | C9E6123537F163E7730768B1B39BDA34A7831B5A3F8752D2A0CA4C394F5752 | +-----+----------------------------------------------------------------+ | 192 | 2D | | | 1EEE053F84BFFF1C9F4F82CAD96DD60D04596236DF9B929A921E32BF4EFB0A | +-----+----------------------------------------------------------------+ | 193 | 31 | | | 4BA33232F07D0EAE2648A6DF5B3009484CFDBDA6E57D8A0B221D215EC5300F | +-----+----------------------------------------------------------------+ New Quark Rules For GoldDream =============================== New Quark rules (#00234 - #00237) are now available. These rules target `GoldDream `__, a malware family that monitors SMS messages and phone calls and uploads them to remote servers. Check `here `__ for the rule details. With these rules, Quark is now able to identify the GoldDream malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a GoldDream sample (``ECA3A3666B0FD72028431431E7FAE6774A8CA692E35AE3CB44FD8F2AA418F746``). The report shows that Quark identified the sample as **high-risk**, with a list of behaviors as evidence. .. image:: https://cdn.imgpile.com/f/qg9XDXG_xl.png Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's :ref:`rule classification ` feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 2 well-known threats from GoldDream, as shown below. **1. Monitor SMS messages and phone calls** .. image:: https://cdn.imgpile.com/f/egCf5BD_xl.png The behavior map shows that the ``Lcom/sjhi/client/zjReceiver;onReceive`` function monitors SMS messages and phone call activity. It also calls the ``Lcom/sjhi/client/zjReceiver;a`` function to collect the data into files. Behaviors detected by Quark: * Monitor incoming call status (#00064) * Monitor incoming SMS message (#00234) * Monitor outgoing phone call (#00235) * Write data to file (#00236) **2. Upload SMS messages and phone calls to remote servers** .. image:: https://cdn.imgpile.com/f/SOrA9Qz_xl.png The behavior map shows that the ``Lcom/sjhi/client/e;a`` function connects to a URL and writes a file to an output stream. If the output stream is from the URL, this indicates the function uploads a file to a remote server. Behaviors detected by Quark: * Connect to a URL and set request method (#00096) * Write file content to an output stream (#00237) .. _list-of-tested-apks-golddream: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | index | sha256 | +=======+==================================================================+ | 1 | DAAFD978B9C3D6CE45DF705F9C5DE432609546673441A7F1ECAE7C4F42069FE1 | +-------+------------------------------------------------------------------+ | 2 | D710998CC0C38046D8C3713463B992B925A647780D61030462DBEE41094D2E21 | +-------+------------------------------------------------------------------+ | 3 | C2236E4159E14623214C9F22EB8B373AE47C20CEF126398B7EC2D11DDF7133CB | +-------+------------------------------------------------------------------+ | 4 | 30838B9223D7C9A029D25903030C0EE5784E2556F3FB4994A9A66D0E52452915 | +-------+------------------------------------------------------------------+ | 5 | F44FF1D306731B7EA378569545963A71254145252C2D26CA6F679CAA8FD39468 | +-------+------------------------------------------------------------------+ | 6 | 26C12F1A899DBA752B29B20B599CEAC2A814BE1AB3CD50BEB96A26B6033F2F1E | +-------+------------------------------------------------------------------+ | 7 | 38A90E9AB4FAA62EA71F1FC726BA4B747FA363D9F4D15E7478239E771FC36BC9 | +-------+------------------------------------------------------------------+ | 8 | 72A3B68C5EBD84E1F9FF9AF529A2102A1DE08E7F1CA5B874CF1FFB4B380AF7C9 | +-------+------------------------------------------------------------------+ | 9 | 594EBCC14A163B86222BD09ADFE95498DA81CEAEB772B706339D0A24858B1267 | +-------+------------------------------------------------------------------+ | 10 | 4DB9936E2BD190CC35710264179D5FEB28735C0661991593F28D5FEA6B2A3998 | +-------+------------------------------------------------------------------+ | 11 | 021B664D927EE81E90B936E6B880844B040753BC048DEBFF0358B39FA15C39E7 | +-------+------------------------------------------------------------------+ | 12 | 6F3FF062C0A4CA13A12C68FB3FC17A12F75BD18BA6CB76CC82660F026A966990 | +-------+------------------------------------------------------------------+ | 13 | ECA3A3666B0FD72028431431E7FAE6774A8CA692E35AE3CB44FD8F2AA418F746 | +-------+------------------------------------------------------------------+ | 14 | 05A64C76B56919F4C6063CE376B59AC84C707425D6A442936B5AD659F7293C1E | +-------+------------------------------------------------------------------+ | 15 | 36D7471FA1E7C3AF4BE233F4F4971B41CF0A1EF1067D4C3B1D3BD4C3CD3D2E38 | +-------+------------------------------------------------------------------+ | 16 | 70F447054FD798F6EC3D6E67104F0910C73BAD80A94FD83AAC4F119786A0F253 | +-------+------------------------------------------------------------------+ | 17 | 545E1A911DA1071D79D9C40E945480FD9D5BA051472991819F8EB2644C5A6F3D | +-------+------------------------------------------------------------------+ | 18 | 3E72CC3C0DB3513A29FF53E27726FB9277C7D2F13661CF0DFCA8EB34DC690074 | +-------+------------------------------------------------------------------+ | 19 | FF2BEF8912CCD5CEE93DC8C6FB4BE2B142E790A30689AFEDB32ECB665AD1F040 | +-------+------------------------------------------------------------------+ | 20 | BA84EB2885F01C15DFDA3FE394486BE9E7E0FAECE28EABA70B007BE5864C233D | +-------+------------------------------------------------------------------+ | 21 | 42979D0E32550419DFA7F7BB1C5CCA245056E0EC50B489CA73C259E45C76C66D | +-------+------------------------------------------------------------------+ | 22 | 969BCDB8DC4043483AB645AFFF4616A1845F2276EF4165475F6357D71508047C | +-------+------------------------------------------------------------------+ New Quark Rules For SpyNote =========================== New Quark rules (#238 - #242) are now available. These rules target `SpyNote `_\ , a malware family that takes screenshots, simulates user gestures, logs user input, and communicates with C2 servers. Check `here `_ for the rule details. With these rules, Quark is now able to identify the SpyNote malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a SpyNote sample (\ ``0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/4NYt9kTb/Screenshot-2025-09-24-10-00-28-Screenshot-2025-09-24-10-03-382.jpg :target: https://i.postimg.cc/4NYt9kTb/Screenshot-2025-09-24-10-00-28-Screenshot-2025-09-24-10-03-382.jpg :alt: Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's `rule classification `_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from SpyNote, as shown below. **1. Take screenshots** .. image:: https://i.postimg.cc/wMcJFd87/screenshot.png :target: https://i.postimg.cc/wMcJFd87/screenshot.png :alt: The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService`` function obtains screenshot data and converts it into bitmap format. Behaviors detected by Quark: * Extract screenshot data to bitmap format (#00238) **2. Simulate user gestures** .. image:: https://i.postimg.cc/k4yXpMG3/gesture.png :target: https://i.postimg.cc/k4yXpMG3/gesture.png :alt: The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/Perfct;clickByGesture`` function simulates user finger gestures on a mobile phone. Behaviors detected by Quark: * Simulate user gestures (#00240) **3. Log user input** .. image:: https://i.postimg.cc/pVcgt0r5/logging.png :target: https://i.postimg.cc/pVcgt0r5/logging.png :alt: The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService;checkPassword`` function obtains the description of a UI element. It also calls the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/FileUtils;writeText`` to log the data to a file. If the UI element is a keypad button on the lock screen, the user's password can be logged. Behaviors detected by Quark: * Get the description of a UI element (#00241) * Write data to a file (#00242) **4. Communicate with C2 servers** .. image:: https://i.postimg.cc/cCHZkQPw/connect.png :target: https://i.postimg.cc/cCHZkQPw/connect.png :alt: The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/hlshzietuthuztzpsjgswpikkmwdxkiqxbzdseqdoywzyerfhi4/CameraHandler$1;run`` function establishes a connection to an IP address, which could be a malicious C2 server. Behaviors detected by Quark: * Establish a connection to an IP address (#00239) .. _list-of-tested-apks-spynote: List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. .. list-table:: :header-rows: 1 * - index - sha256 * - 1 - 059b5f74e053c2966775157cd521580fcfaa3b1a7613560b8f499dbd9c11d4b4 * - 2 - 0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b * - 3 - 4b2b411e03aafaa19ea93286fadd39a5134f4a039db2d5019b1054547c0d5601 * - 4 - 5c01f7727c78dea9c89dccf92b01b4c45e69406e6462340779401497bf4d4589 * - 5 - 8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e * - 6 - da4f59bdc91eaeaba238a8ba9602f7d5cc75f0892a92f5422e23b55accbbb2f0 * - 7 - dd7650a9cd3f853e109d2d0138ede785e1559d6c2d8c52eec2f2d9808a924f1c * - 8 - dee1eaaa8879a7d321ef4e698203be7b23eeda80a6dea3c70cbf3138597b1800 * - 9 - f46b863952599b91a4d2d682a80f345dfa03fad473d1938f2c53a3139c87a019 * - 10 - eec5096dfca6824317863f9225c29f6c4b3442c48fefa62dc382e3569bca5a60 New Quark Rules For DawDropper =============================== New Quark rules (#243 - #245) are now available. These rules target `DawDropper `_\ , a malware family that downloads and installs additional APKs. Check `here `_ for the rule details. With these rules, Quark is now able to identify the DawDropper malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a DawDropper sample (\ ``a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/44T6JT3v/Screenshot-2025-10-21-22-38-20.png :target: https://i.postimg.cc/44T6JT3v/Screenshot-2025-10-21-22-38-20.png :alt: Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's `rule classification `_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify two well-known threats from DawDropper, as shown below. **1. Download APKs from remote servers** .. image:: https://i.postimg.cc/VLW5TKMP/downloadapk.png :target: https://i.postimg.cc/VLW5TKMP/downloadapk.png :alt: The behavior map shows that the ``Lcom/techmediapro/photoediting/core/MainActivity;N0`` function downloads a file from a URL. If the URL points to an APK, it indicates that the function downloads an additional APK from a remote server. Behaviors detected by Quark: * Connect to a URL and read data from it (#00243) * Write data to a file (#00244) **2. Install additional APKs** .. image:: https://i.postimg.cc/nc663z2H/installapk.png :target: https://i.postimg.cc/nc663z2H/installapk.png :alt: The behavior map shows that the ``Lcom/techmediapro/photoediting/core/MainActivity;S0`` function installs additional APKs. Behaviors detected by Quark: * Install other APKs from file (#00245) .. _list-of-tested-apks-dawdropper: List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. .. list-table:: :header-rows: 1 * - index - sha256 * - 1 - 022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 * - 2 - 02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 * - 3 - 05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 * - 4 - 71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d * - 5 - 77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa * - 6 - 8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 * - 7 - 9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 * - 8 - a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb * - 9 - b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 * - 10 - d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 New Quark Rules For SLocker =============================== New Quark rule (#246) is now available. This rule targets `SLocker `_\ , a malware family that locks the device with an overlay screen. Check `here `_ for the rule details. With this rule, Quark is now able to identify the SLocker malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a SLocker sample (\ ``570e2811e8c87f714eb3485c271ec03b9de699c6b7f67e858a24396ce5f7b69e``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/851cvgFy/Screenshot-2025-11-25-22-36-54.png :target: https://i.postimg.cc/851cvgFy/Screenshot-2025-11-25-22-36-54.png :alt: Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's `rule classification `_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 1 well-known threat from SLocker, as shown below. **1. Lock the device with an overlay screen** .. image:: https://i.postimg.cc/1zd7nsYP/blockscreen.png :target: https://i.postimg.cc/1zd7nsYP/blockscreen.png :alt: The behavior map reveals that the ``Lcom/lololo/LockService;onCreate`` function creates an overlay window on top of other applications. By configuring the window to occupy the entire screen, the APK can block all user interactions and lock the device. The behavior detected by Quark: * Create an overlay window on top of other applications (#00246) .. _list-of-tested-apks-slocker: List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. .. list-table:: :header-rows: 1 * - index - sha256 * - 1 - 35c39da84abfc8d8b89389524d6e203d91e5af8004720c60f13b492e14ddde56 * - 2 - 570e2811e8c87f714eb3485c271ec03b9de699c6b7f67e858a24396ce5f7b69e * - 3 - 88b86662dd1653845985544299fd8cc732f49c72d63c86ea3ffb7bb3b3249138 * - 4 - 8ec195cd1f5c9f66c75000f26120832d7e1a9044fe3699d18d676bd5739b8518 * - 5 - 9cc9fba099c35d65638f521e5a1d748ea432b64d82fe9732cfc52f8b57d3dffd * - 6 - 9e875f82515cc6b27367ae20ef52b9e0d7476bf8bda91e2ba0d888cf0857311f * - 7 - a60082e481d6873103537e136b7b14a7892cd1205593d64567a448453eff4a6a * - 8 - b5ab87692109c072cc277246e957ab32cfce6973f9f06c609ba51b53114cce51 * - 9 - df091031ed5073de09158b3afcf1fb956d1f337a66e552e9d3458ed5f5f6edb1 * - 10 - e504ff4501da2412758babadabb05a761ae6edacd043d68334e384d94fe4f4ac * - 11 - f3fcd84b4e92a52ae5b30df003b911f21b2ea4325f788d5a5decc08582d3fd40 New Quark Rules For PhantomCard =============================== New Quark rules (#247 - #251) are now available. These rules target `PhantomCard `_\ , a malware family that communicates with C2 servers, reads the payment data of NFC cards, and captures PINs of NFC cards through deceptive screens. Check `here `_ for the rule details. With these rules, Quark is now able to identify the PhantomCard malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a PhantomCard sample (\ ``5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/MTm5xxn2/Screenshot-2025-12-19-00-52-13.png :target: https://i.postimg.cc/MTm5xxn2/Screenshot-2025-12-19-00-52-13.png :alt: Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's `rule classification `_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from PhantomCard, as shown below. **1. Communicate with C2 servers** .. image:: https://i.postimg.cc/6qqQcXDG/c2.png :target: https://i.postimg.cc/6qqQcXDG/c2.png :alt: The behavior map reveals that the ``Ls1/j;doInBackground`` function establishes a connection to an IP address, which could be a malicious C2 server. Behaviors detected by Quark: * Establish a connection to an IP address (#00247) **2. Read the payment data of NFC cards** .. image:: https://i.postimg.cc/9QFmVVxY/nfc.png :target: https://i.postimg.cc/9QFmVVxY/nfc.png :alt: The behavior map reveals that the ``Lt1/c;b`` function establishes a connection to an NFC card and reads the payment data stored in it. Behaviors detected by Quark: * Establish a connection to an NFC card (#00248) * Read the payment data stored in an NFC card (#00249) **3. Captures PINs of NFC cards through deceptive screens** .. image:: https://i.postimg.cc/xT2QtP2Y/ui.png :target: https://i.postimg.cc/xT2QtP2Y/ui.png :alt: The behavior map reveals that the ``Le/r;onReceive`` function creates a UI layout and listens for user clicks on a UI element. If the UI layout is deceptive, users could be deceived into entering their NFC card PINs. Subsequently, the app could harvest the PINs by listening for user clicks on UI elements such as keypad buttons. Behaviors detected by Quark: * Create a UI layout from XML (#00250) * Listen for user clicks on a UI element (#00251) .. _list-of-tested-apks-phantomcard: List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. .. list-table:: :header-rows: 1 * - index - sha256 * - 1 - 0d5fd1997ecb76a167df753d5cce7688dfd0d813c028c9644025da352af77b7d * - 2 - 21c66fe505f2bcd7b29d413189920b3a85df48da0ecf4eb6962d6a504a7fdcd8 * - 3 - 2922fcf373e2caf3588266cfafeaafbc74304c81d024315d279f0ea537adc1b6 * - 4 - 360966ad8752d040e9aaae5cb4a5913e6f85edcf56ecfeb8246729b45d0e6c78 * - 5 - 5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332 * - 6 - a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f * - 7 - ab2906d88e4f64ec0784ef8fdf132bb7ca9a914c037c3b731803f3adfd7a8f66 * - 8 - cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667 * - 9 - d3f863757e946d117ee7c7b50e480264a2ff1a08e7925bd2de3e6c43182868ed * - 10 - e27579b92fcad2f4fe96db7b5e7a7cdc41754a7cd126fcaf598d3f8d8c21c0f5