Quark Rules
New Quark Rules For DroidKungFu
New Quark rules (#00212 - #00233) are now available. These rules target DroidKungFu, a malware family that gains unlimited access to a device, installs and uninstalls Apps, and forwards confidential data. Check here for the rule details.
With these rules, Quark is now able to identify the DroidKungFu malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Check here for the APKs we tested.
Below is a summary report of a DroidKungFu sample (D277C97B1A8A78F859672B4A20E74B3313E9F964E68A6E857C1E9D33763434A5). The report shows that Quark identified the sample as high-risk and provided a list of the sample’s behaviors.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from DroidKungFu, as shown below.
1. Gain unlimited access to a device
The diagram shows that the Lcom/google/update/UpdateService;getPermission2 function runs shell scripts and Linux commands directly, and also calls the Lcom/google/update/Utils;oldrun function to execute additional commands.
Behaviors detected by Quark:
Run shell script (#00069)
Execute Linux commands (#00068, #00155)
2. Install/Uninstall additional apps
The diagram shows that the Lcom/waps/k;a function installs APKs from a file, and calls the Lcom/waps/l;a function to install more APKs and the Lcom/waps/k;b function to connect to a URL.
Behaviors detected by Quark:
Install other APKs from file (#00054)
Connect to a URL and set request method (#00096)
3. Forward confidential data
The diagram shows that the Lcom/madhouse/android/ads/_;_ function queries confidential data such as SMS and call logs and also calls the Lcom/madhouse/android/ads/_;__ function to check for network connectivity.
Behaviors detected by Quark:
Query confidential data (#00077, #00219, #00221)
Check for network connectivity (#00224, #00226)
List of Tested APKs
The table below lists the APKs we tested.
in dex |
sha256 |
|---|---|
1 |
27 A63D6412B3459E821D88A8EF133727B8DDA99262CEC71C9989EC28E394F173 |
2 |
C3 B0FF9C168FCDB02573AF741FC1E9B9E3EEA993A5407CFCF0BB29E0800760BE |
3 |
E1 0A9E9A5758F04975FFE930AF08A339B897FF72DF85BE1707184C697C0E954F |
4 |
2C 6B542B30C644BE1840E38EB8ED4592B671E4734C08FE57B315B92299B23A4A |
5 |
1E C91FF1EA8ACCBC4181F3DF94C6A285013EC7A7D60467DEB9250E7681F4B73C |
6 |
20 639CFB1369F3D490ED532FE30E294ED4058B7D67C426484D7028B7B2B165E5 |
7 |
5F 7A40015A1F3F42802424EC776799F5E0960F19E9BF8C86298AA5CFAC116BF6 |
8 |
E2 BC4E09BA57740C17F033F6B116EC0316771EF8C1DCB99145EEAC17F15FF2FA |
9 |
7F 027D19AD8FCD2F4C6A6C74742DED6D1D7758FCD72BDD8B5590053BE65A1D2D |
10 |
21 D4EB1ADA6CA0925AB8E21D30BFF8A40E88BC60773700B003C048BF8619E75E |
11 |
73 A27FCF9FDE6D7EBC39F4995BD7DAA4F433C37314C0016D75C50CC39AE7A785 |
12 |
4E A68DEB209A29ED0B1FA7F7555006DEC050D8F77CF5820B550E32E5A6F6F88C |
13 |
E6 440A1AB96884C44250F2DB53618FC6762DD13EEBC59D1095F1E188D40C68E4 |
14 |
C1 7D0979882468CCC26FDE81F5C6F0DDFB602F9AB9D3C92AC355C8D87A585380 |
15 |
47 7C68553FF88F831026E8842FE99FE14B2DDF08821A0CA3072B7EDBC872A292 |
16 |
B4 098AE6205E3808A6B79495B2027452A7B8191200402F8BA32DBA0EAB21EA99 |
17 |
39 3456E6368079F36DC0CEA861361F976A5CD6A3191B69E49CFD6BF4692DC57E |
18 |
16 A0C217F26C948D683B515CBB9E06CC0AAC422A951CE9E9E532D7A571152D2F |
19 |
D2 77C97B1A8A78F859672B4A20E74B3313E9F964E68A6E857C1E9D33763434A5 |
20 |
51 BFB82709E927D65770E5C59AB6EB96B73B19525E127F60A25831CD2B8AEE82 |
21 |
C0 8539123E1F40439E0DB7DDEEDD6BF6B079AB5E62B2208E22884B28306C1CCA |
22 |
15 D1FDC4B27509DF6D31F851675D03A21939A165B2011BFE0DB5EEA69BBB6B3D |
23 |
94 BC85F5458E313AA138C9F4E4B8ED3AB8642694A07427B80441B8A538EC462C |
24 |
41 DD548C530516448CB6A28DA67407725163F9620D92A35F8735FA4135ECC0A2 |
25 |
A8 7C8FE4D821CB2B15FB4E1ADDF63E88DE7D09D37178A910C9221EA979C16F81 |
26 |
3B 736A91DCA7AE8608C2174AD589400D3FD5FAE55A395920841A49EB10657A37 |
27 |
80 0A8CFF0C559C9478E6941B5E0B30E3848E8A0F9246C8E0C1A34A1459288D68 |
28 |
BE DF51A5732D94C173BCD8ED918333954F5A78307C2A2F064B97B43278330F54 |
29 |
E2 0D4994C8A13854CD835919F5620A9B6217AC444016F9E97C3E9C3464E2F5CB |
30 |
AB 0A824F00E4AEE68A17DAD86182B6FFE83D6D7D07D572D31183CF4A8C1723DA |
31 |
AE BB5050F17588F0D3936B1B13BF7DCD856A7ACD8DB107C4853E7A9058D2A0CA |
32 |
AF 33315DFBF3ED5A0D28E8ED03A79D20C3B77B16129CCA9439BB4CBDDCA076E2 |
33 |
0A E6CECB96E4515F4536EFC711D583A447FFFDF2BCD4E04D2F4A0347F63E40EA |
34 |
3C 81C9DF7CE0F94918CD0B833B070DFBBCEACF8688824AFBC6344E975EDFEB24 |
35 |
C5 C508FD88D058F5E2B3ABC2A066C52C1FAFB148F27000C47DA859945F771512 |
36 |
FE 98A9B6D1ACF4E2B52CAF0015E90B9FAB856B0C0AA581D526F3D2951B2F7904 |
37 |
BA 949E090EAB02005F9B1823B59AA4329017EA2441E81734F4827B3822C9704E |
38 |
B6 BF9FACFA89990ADF7F01D561875AC54D7577CA351D0C23D69B5E83E376963E |
39 |
2A 93EB58C737572DD375A36F8A5397140C815DCAE05DC80DAFAAD4B3981A91B6 |
40 |
D2 E2396D8F6052E551E84CC69A97DB7D3D08DF9B3AA40C0070A7CE96B33622C8 |
41 |
25 BE589140F73949124F08759AB5BB57B126396F1401E3BFBFDC5E5C056E0D03 |
42 |
41 BD9843692B7421B2FBCEAC3C2F6AF3CE9C92339C10D43898E7E072B8E28BE3 |
43 |
3A C65392A5E371D1FF5C7A2CBF580A4F3C2A5B36E11C01601D6B38D715C2A74B |
44 |
5D 3A915B34D0925B9EA4A7E33E8E70A428B22CE57CD17CFB20DF37F463502B82 |
45 |
94 A96E66ABC0ACEF751AF0C2140AE7CAD05E434609EB56FE6A6E6602FFE3E4B9 |
46 |
67 E794151DD32338E0B1935A77ACA5B9A8D87C12C7A088326C2E9F2FFF048279 |
47 |
40 BA6610360FFFE5BAFEE8504751C78B5AF3B913DA1C2D4AE97AEEA156E5510B |
48 |
19 7041741B0DD2FACE3C01A2FE82AC697A6B6B801B7DC2D3579DA7BBF56ACD73 |
49 |
8C 5130774E5F1E8F6A0A16281A5AF22C5AC1FCD46DE907667714760ECB76F7EC |
50 |
86 FDE6F59EF9A8F762AF7BB62DFC4467CA9BD3ACC63E50E5AB78A7B4487ED70D |
51 |
0B 33469936791DB785E8546BB752AA75DE4C3227293A4237249DBD05FC12D039 |
52 |
25 061C50965D05E98E409E3A07FE4CE4825A9DACFF46A79FE57EDA7BFD184DEA |
53 |
D2 187491BAD25E07B6817CDD3F044466B8FE2BE63D255DA2FE7CA58E8C8C6321 |
54 |
44 6A635890947E7956D5E8DD10C758A733144D573528153D6F5AFD0DD038BFC4 |
55 |
DB 104CAC9471650E5E5AF54E14C80F6247E16923E78E41DFAEED42F28CF5C523 |
56 |
42 69E9F03F43D82DF992B417E961554CAECB80D06CA3B0C1B847A09FD257901F |
57 |
C3 1BC398066441E6FDB5F98EE6A4529D6F51925F4951EA679C028E50D0CAD950 |
58 |
EC 6212709ED75DEFC848626D2888B685AEAFC4FFD655AD830557F9994E8995F3 |
59 |
66 BB9310F7063CC3B12F803D2C809C1DB46AB29F229599BE81728C432C208C9F |
60 |
BA A24D27A78F0641ACF806BD03722AA47F1DCBC42F1CCA04B14B0118E398F94A |
61 |
AC 5E59080E8E951AA5C62038D606E2BD3F8A20C0552F8E1B326B407D4BDCAA15 |
62 |
82 3EE1A0F81C0067F804B3F2497E8268A677C76D90DDD261A910CFE8D116897D |
63 |
F3 F52121296119FF32C334075EA80B74495FDE648A7204BED66268B285FBF199 |
64 |
0D 9CB8010681D5F35969FB84F96FFCC53DD0B37AEE62F522C2972BEBF2759F02 |
65 |
03 259A1228E3AD616F10C2370B8C142A8D20132505FBC5CDB5137322A8A03FC6 |
66 |
8C B684F1C8FDA8D16E9399F9B75AE1972888BA4398EEE1A7BAAB311DAEAD5F0E |
67 |
27 B02028221B1AE647BD749EF916AC4D0AD39BA3C961ECD1AE37DF7988488225 |
68 |
56 628C603FDB1F33FDB8E53D796919F5385A9BAC31E3217A20F2E7531543CBD2 |
69 |
00 621E015191863041E78726B863B7E1374B17FDA690367878D1272B0E44B232 |
70 |
4D 62CFEE89DFC4451BDA6FC9E6C09189B6BAD089E2E97E36084FD0E910363D76 |
71 |
04 9D5D5E6DDA98F512E0A9FD2D8E3299BB16ADFB63D95033ED6A839588D14425 |
72 |
64 AB7A8E612D8D60C1C4CC8CE1B4ACE4AAFCEC7E1F5239894F2B214B094FA1B1 |
73 |
3E 38E7FF5776548DA0FA1AFF91B364B338D5D7D51E6CB4E3ABFE2FF4B9BF985A |
74 |
3E BB4C2BC959080EB9BA2328D10610B59E77892667F8CC5794479F0625E283EC |
75 |
4D C7570244C38A690BCA52A8DA1B9108C7A0EE214FBC0A972725D43C8C78FA9A |
76 |
EB 2F047FE3AEA452F1867EC57FAE2E4E853652FE9CBABDD995A11C6FEC0D6500 |
77 |
1B 7F0C198CB2278218B177F79F16D8C8CE9D7E46E2E65D2B6ACD61A3BA8C455A |
78 |
8E 6DFA5676DAD428FD3BB767D33B74920D4B3E5D51821A1501D0ADC35B834A50 |
79 |
24 CCB1BF995EEE442CC4BB86828795BEB0043CA5BF694B3765FBBDA7F69F4E40 |
80 |
E7 0FB0052314184463A9F7D194DEE438FA381C6584B8009F178785E0E8CC5D66 |
81 |
BA F7340F3F1FD943A0A0E79FF59CAD5362D1BA45F05EB172A6730455F8CD55FA |
82 |
CD 3AF68A6C2D93D0261962F50F8DBBB9D72BF952A88414B33DDA49C613DBD8B5 |
83 |
BA 14BC0202CF321F4368E0DEE08E67CC7B55AC3A03AAF1726E03C4CC0AB44F02 |
84 |
05 C68734C04460DFF87618C0065457788EDCAD84C23F32113B156A963290D917 |
85 |
09 B952BB0E499EA71E042F6984E6E7632FE1B2F646E212E16468B54A7D0E4253 |
86 |
70 3B9C40116A1AF70522933D25B72E85863EF177F937B28CE82C048928C83379 |
87 |
97 CE153A87917E46907CE3C43328FA398BADA713ADF9DF7A756174EE8C7F50E5 |
88 |
A5 706AD49019EF9671242437834A492170F6DDBBD11DF2BE8D0C7F0477530CBE |
89 |
4F FF4F4F98197ACD4A943ACEDE362D4C64F9D20EE5E64F7D0F4E66F3DD08FBBC |
90 |
54 F84DBB2A95A53AF72E7346CBE139BDEA1759C92C50AD202B66E8F6D548D876 |
91 |
93 BC7CAE3DC7ECAFB01A9D136A7D24E280673F7DDE1B30F545E1FE2646E8A66C |
92 |
66 ACC04320B125B0974DF859850C1A5B2B9C2B58768CBAB83A93BA955FA9287F |
93 |
C5 EA7E9101DCE70C56A0F48B622FCFF619D615F5034B15D21BDB7F40B74602CF |
94 |
14 F44E244274BF9A698960DAA82D98D3FD66AC7E8FE6F7F9916F164E468C30A7 |
95 |
0F 2931043C240C14DE48C7A6630752474C3FE5A87A5113F13851CFE8D14754DC |
96 |
1C 5A89EB4638229DD8DC6D4F55BCAC8D565D2FEF20F6BEFE52270D50973B6151 |
97 |
A1 F98073B0D39B6E3A981D7DB2C528CC9B88A4CC207350F4467916F265D0244F |
98 |
A1 28DE003C61B08C439F181253A5C8882DE1C48F517B0B0BF6B18614D11E2674 |
99 |
D6 95B7310BED20E3AE00C0C4754039C3BB095062F4D746897BDF417444F454C9 |
100 |
F5 2BD07D3457B69720C9A54BE5730545BFCC80269BE749FACA723906A303AD33 |
101 |
B4 524506739CBF40D3C823D716FA2DEB9ACE38C199CF0F7661FE8DDF688953E6 |
102 |
43 567A80FB8122F77E1CF72CFD898A6B9BFDC18F27EBE716C444143E03630200 |
103 |
22 20A2EBB3068D1C912189CA6F8E89D0E63836E40A75F5E5C2B7B99A498E7CBA |
104 |
E5 8BF56343D6A44B0D863534426109B348673C76EC433BF310E638F34EB786B7 |
105 |
30 866091584856AC8A7F353172C3D9B0643602F351BE56BA92B4AB2DFD68230D |
106 |
1E 1D93EDC231E7F2FAE9ABB825640E803137A1A672B9D5E93BDFA6D7E8F57DCE |
107 |
3D 210599B3EE6C84D9D8FCB236C02394D24974EE3E0FE2D03B013D538E611CE1 |
108 |
51 07DEDE507180C8458C4E5F87E27F580521F365A54D9E71286ACF0E54DB9E1E |
109 |
5D 5624B266E294C0DC7673D2FB8E126EC559D37CEC74C5508D8E6674377EF107 |
110 |
DA 2EE0B84AC470986543ACCA1F4C51DEF534D23F04E39F0DD85CCCBA45232738 |
111 |
72 865ADB5BAFDA646F6F60834E0462E1626C88F075E4161F3CE0EBF217D6C4CB |
112 |
8E A992D99898B26E014F82C475F605D90BF0828CFE244922197020B62147B55C |
113 |
45 36BF0914B3D76047AEB6EA92F21D0CB7561F68DAE870DB3F6DE9FD7420B785 |
114 |
CA 8EB1155C2F5B33822B906F2255CDEAC0EEAD86A58F151C11BD5003458CFCA1 |
115 |
00 1E0F67B5BB9DDAB14FACBEF94791EAED0EB939BCB651D19DAFD0E2A05D8178 |
116 |
37 C1F16781B2399019AAF2525834ADFE00592F1C62D07D1B0C91A40E11D1B80C |
117 |
F1 57946D3868FBE013EC23B14F1097BB727654B4F3926322F035E86E3F5F637E |
118 |
E9 484114F77952ECE8234927BCC865886938C41F4F4657741F01B22A214E10FA |
119 |
B0 CCDE6A945212ED23F3E85CD861D73A42A98C53D63237CD3C0EB67DDA57BDBC |
120 |
C9 07757169BBE2A5FA05080B75E5E273F0EF02B06552BF4DF3C386096FEFDD20 |
121 |
0F A18A95361BBF4413A9B734B540F52C6BD2411090DEC4D7E3DB6708FEDC68AE |
122 |
6E D52331A788EF18727C8E34746B59DB81ACDB261659934BE63B0266FB7C19E7 |
123 |
BC E128DBE9A75CCADE50ECAD2E52499F67E58479ECD69861B3D117984DF47136 |
124 |
AB 4B4D65A4C7CB3AAFBB7E6630830393D43E619881DA76EE06760466FB79E894 |
125 |
87 7BBED1EC7BA716D70754F6F015C950217FA16F6EA70833B0196C7C560B8239 |
126 |
00 15AE7C27688D45F79170DCEA16131CE557912A1A0C5F3B6B0465EE0774A452 |
127 |
B2 4B268C7C9574BB5FFA48C239F77089BD14BA3EA8B6DDE3DA42958569477D01 |
128 |
38 070B4D027E0256E6B8538384E374E14D7F8006920A60E9BB9238CD45855CC6 |
129 |
7B 5338E1E7BF8B4816B821DB9ED042ED13CE4F8EBD1748BA9788B070E45BF03D |
130 |
4F 1CBB091DCDE0CD0E8FE0D4BD27134750BAC6711029E0A37179832AD3698EA9 |
131 |
E2 6656A75FB347F317ACC7A670F8D16DD4C4433691443A77B46C84B9E3A0FB66 |
132 |
B9 0564F3809FC8B0B0CE1CBC53DBFF6C6A293BCFCC5EF7821E28BF87262FB9FD |
133 |
EE 21782BF346B26411CB00CA83F91AA18C01CF67086D500E66672A0DE046FFAD |
134 |
24 2A0048497BCBDEB4D1A5A43DF08E492BFD42B0B85FF63B2C2A49AD5EA50829 |
135 |
53 702B51E102AC3AD7C859019B8640B88D65B3D6008825ACA2D1FCB80B2FA845 |
136 |
FA E5B82A8DDD7C6EA2B417711E7D0FF8EE02244B7FF9980BCDADFB940EC85096 |
137 |
0F CE8643A036D954E75ECA205B2EBA45629C999AA13ABF8896B4BBC07B0BCFA7 |
138 |
D3 4E040FD052963C9348B8AF50B415419216BE1A00DBF25C7F7B86545EF84C7C |
139 |
9C 6724919CAF4DC134AACF828A62663084DDCD6459FD1249DF36BCFFC7EF2EBB |
140 |
91 84D161D1931A58CFA091569CDE481FCC87AA3A4D32C24622A29EAEA5FC3EEE |
141 |
C9 2E7ABD460FF39CB41709416959366739B08006DC2EEA05E367981F9578E6B0 |
142 |
B3 27C0BBB16C9ADCD566877AC29DC0B0EDCFF9E654DAD66C514B19877A45B6C8 |
143 |
62 923018BFCFB2AD1F05EDE135024EDBBADB20DFF9F816EC3F846B2900636ACF |
144 |
2B AF6E70672789096752383F0DFDA9774A3FEF55CD64C5AD7FE5CE02F4BEB8FB |
145 |
72 E6AE9CD081F8D38488CF4077F66DB0F97CEF486A60EB38C593BA82DB77ECD8 |
146 |
F6 EB0EB6FDBB4A1615050F59EB6FAE8F999824E5D65CE1A437761FE7BE4B8215 |
147 |
F7 B038B441E051B3BCC6F40964C215F61A3A226EF3A1B8D58A36E135115DBCFE |
148 |
73 5F5724975302D23C7CCB6F69C0AB4C64F3E63AF38E828E302DCE79FB08593A |
149 |
80 612FE193401626268553C54A865E67B76311E782005EDE2BA7A87A5D637420 |
150 |
93 8EFB5BDC96D353B28AF57DA2021B6A3C5A64452067059BF50D7FB7C7A66426 |
151 |
84 C7A452E72ABC4EAA51AD8F3569A6E10365804A963FA61C034FD1F3DC846957 |
152 |
07 FEAA0E04E56CB3CCD06FD7902A9D9CEC48DFD901BD6D5E07ADE81448DCC5D6 |
153 |
64 47ED2ABE5AB3827C519BC1EB732159FFE284BE73B8780F294F562996DC9C47 |
154 |
51 37EDD9FA6E73BE3B5C14C50FAF0B6602C7A155E30A931D2A98B31AC1E021C9 |
155 |
53 B1523A8F52D3C924043B93AC44FB96F2D496D1C054D873E62B5BC9644B1B52 |
156 |
D7 D47ABC80CDBC7D0AEDF9B8E863E28F0B79CA47D71155A3D364EF096DF98D7E |
157 |
AC 48E0526730A611D363AE5DBFD2F3AA4296BD71C66E13B9DB3D272B754EDCD9 |
158 |
42 2B2A9F8547E4239E1BB508359872C6365B42ECC460C82A0FABAC04F2E44808 |
159 |
7D 4FD317B9E19AF2BBC5B707C3CCCA5D504B11371D10E3CBAF0AB4E56D0ACAB0 |
160 |
D5 C60074995C0AA0842AEF02269C8567F8B59902E4AADB865C69CB3738D9051F |
161 |
C8 B6CC0BA9DDD2206FD35AA3AD379B169DEBFE223A0EE0E5AA28DA1AA683343C |
162 |
92 1F76D6153E86E480A1FE309A19DA4F75B85BC3F85F3826694977CD2046F0A3 |
163 |
C7 C46F7E5F58B1E6912BC0638475840741CAED5685AF0AB6B563A637B92D41A3 |
164 |
37 D382FAAFCAAD6F8BF5DA383CB8703B7094A045AEAC5E13B5F4225C6272A615 |
165 |
65 CEFD92274FB4AF9F33728F8759A6BE835C7550B96EDAB798787CBB8EC95FB3 |
166 |
28 7E705784FE12335E9355C20F8BC8072A7A6A87DEA751CE471CCE37D426E9F0 |
167 |
AE F39A6FAEB83695C7D97B93E6BC550D0AED93EFE886E651A1610DD8B2ED013A |
168 |
CB D9BA3E8D82F9D475C81BC3C057C19869810B2CD47E6EDBF392B4A7612F8239 |
169 |
51 F16E4D41EC420E8520220D44B0088C81619014896BE524F411B718E730A33F |
170 |
CF 997FE5C0AB00EA447EE13F7DEEC8E97EFE412F65355448F04565A1F7AC0E72 |
171 |
E4 EB02B2D64D33E4C0536406BFC9A6D8FCC6B5237642D92333EE3E089BD82723 |
172 |
5B 8D52ABE9FA8E849A89CF87F90CB07E77BB429E0FE5F518873C8B26EE231A87 |
173 |
C9 6029C4F9777C9D521249EE1AC27F75C2350614C361469D0C7B3F8124DA3E14 |
174 |
A0 E3891E0790A9EC38EA05BCC0EA7067E98CED68DBCAFEE10A5F73D560A97B17 |
175 |
FD ED1EC2D17F957B230FEB5FFF518EC98322A1617E4E28953FF38270CB16098A |
176 |
EB E06DFB790CCEC41432637C593139E6C813AF0BA0F1366FF9FF12F8DD89AD40 |
177 |
2D 2C183A82B5F13E458946DEFA3D2DC361B6FBB1321FE0535DAB40FCA4B7C272 |
178 |
A6 291A63E3B4E8E3B58E96DB2A98BA918E674B21B3483EC0A69DA5C5594390D8 |
179 |
C7 BE73CAC9A130F487490E98B811F707492F92EEB989D75681F113FC7B184F95 |
180 |
35 CEFBC2F7DB302E881DAEBB572093D721E3E94CDDEC465B6F08877095B572BD |
181 |
6E 417844E162251228B6305C70ACC481F423036C6F14DA753F8C591F115EA8E0 |
182 |
58 96A3D47B5CEEAAD8C69D9811C79438233EF78E042EBEEFF807C69B6EE63FB2 |
183 |
3A 867B8D991A3125CA3ED27E2F0D6568277AEC1CD15A0D8F9201981F4A5EEC6D |
184 |
D0 F06064FD7C105AFB139A30010104E1FE4A41A0967E450F9509ED7AA793AA1A |
185 |
F1 9B3B007B54813C8395F826D76ABB6C7573286D9866ECF1F71CBBB75C12BF04 |
186 |
EF 2B268D4FF17708D1D01E363CB486E7AA83616AB595434535CFB33BE0F716C4 |
187 |
E1 16D6C8F922AE101D2AF721AF3D183DD12D47A167312266E54C02F8B5AE53E3 |
188 |
C7 EE00F75D464EFE63FBF3998517B171AA296DBD3254E95DF25BC579F8517AA2 |
189 |
4D 920F5202A33EBD9BBAFD73E11D5D222D4B8E0D50C11BC9B8B5F4E291F7C8E1 |
190 |
02 E112947AA19A577FD9D825531BD74797BBF5825A74E9918D4027BBD24BB49B |
191 |
9A C9E6123537F163E7730768B1B39BDA34A7831B5A3F8752D2A0CA4C394F5752 |
192 |
2D 1EEE053F84BFFF1C9F4F82CAD96DD60D04596236DF9B929A921E32BF4EFB0A |
193 |
31 4BA33232F07D0EAE2648A6DF5B3009484CFDBDA6E57D8A0B221D215EC5300F |
New Quark Rules For GoldDream
New Quark rules (#00234 - #00237) are now available. These rules target GoldDream, a malware family that monitors SMS messages and phone calls and uploads them to remote servers. Check here for the rule details.
With these rules, Quark is now able to identify the GoldDream malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a GoldDream sample (ECA3A3666B0FD72028431431E7FAE6774A8CA692E35AE3CB44FD8F2AA418F746). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 2 well-known threats from GoldDream, as shown below.
1. Monitor SMS messages and phone calls
The behavior map shows that the Lcom/sjhi/client/zjReceiver;onReceive function monitors SMS messages and phone call activity. It also calls the Lcom/sjhi/client/zjReceiver;a function to collect the data into files.
Behaviors detected by Quark:
Monitor incoming call status (#00064)
Monitor incoming SMS message (#00234)
Monitor outgoing phone call (#00235)
Write data to file (#00236)
2. Upload SMS messages and phone calls to remote servers
The behavior map shows that the Lcom/sjhi/client/e;a function connects to a URL and writes a file to an output stream. If the output stream is from the URL, this indicates the function uploads a file to a remote server.
Behaviors detected by Quark:
Connect to a URL and set request method (#00096)
Write file content to an output stream (#00237)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
DAAFD978B9C3D6CE45DF705F9C5DE432609546673441A7F1ECAE7C4F42069FE1 |
2 |
D710998CC0C38046D8C3713463B992B925A647780D61030462DBEE41094D2E21 |
3 |
C2236E4159E14623214C9F22EB8B373AE47C20CEF126398B7EC2D11DDF7133CB |
4 |
30838B9223D7C9A029D25903030C0EE5784E2556F3FB4994A9A66D0E52452915 |
5 |
F44FF1D306731B7EA378569545963A71254145252C2D26CA6F679CAA8FD39468 |
6 |
26C12F1A899DBA752B29B20B599CEAC2A814BE1AB3CD50BEB96A26B6033F2F1E |
7 |
38A90E9AB4FAA62EA71F1FC726BA4B747FA363D9F4D15E7478239E771FC36BC9 |
8 |
72A3B68C5EBD84E1F9FF9AF529A2102A1DE08E7F1CA5B874CF1FFB4B380AF7C9 |
9 |
594EBCC14A163B86222BD09ADFE95498DA81CEAEB772B706339D0A24858B1267 |
10 |
4DB9936E2BD190CC35710264179D5FEB28735C0661991593F28D5FEA6B2A3998 |
11 |
021B664D927EE81E90B936E6B880844B040753BC048DEBFF0358B39FA15C39E7 |
12 |
6F3FF062C0A4CA13A12C68FB3FC17A12F75BD18BA6CB76CC82660F026A966990 |
13 |
ECA3A3666B0FD72028431431E7FAE6774A8CA692E35AE3CB44FD8F2AA418F746 |
14 |
05A64C76B56919F4C6063CE376B59AC84C707425D6A442936B5AD659F7293C1E |
15 |
36D7471FA1E7C3AF4BE233F4F4971B41CF0A1EF1067D4C3B1D3BD4C3CD3D2E38 |
16 |
70F447054FD798F6EC3D6E67104F0910C73BAD80A94FD83AAC4F119786A0F253 |
17 |
545E1A911DA1071D79D9C40E945480FD9D5BA051472991819F8EB2644C5A6F3D |
18 |
3E72CC3C0DB3513A29FF53E27726FB9277C7D2F13661CF0DFCA8EB34DC690074 |
19 |
FF2BEF8912CCD5CEE93DC8C6FB4BE2B142E790A30689AFEDB32ECB665AD1F040 |
20 |
BA84EB2885F01C15DFDA3FE394486BE9E7E0FAECE28EABA70B007BE5864C233D |
21 |
42979D0E32550419DFA7F7BB1C5CCA245056E0EC50B489CA73C259E45C76C66D |
22 |
969BCDB8DC4043483AB645AFFF4616A1845F2276EF4165475F6357D71508047C |
New Quark Rules For SpyNote
New Quark rules (#238 - #242) are now available. These rules target SpyNote, a malware family that takes screenshots, simulates user gestures, logs user input, and communicates with C2 servers. Check here for the rule details.
With these rules, Quark is now able to identify the SpyNote malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a SpyNote sample (0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from SpyNote, as shown below.
1. Take screenshots
The behavior map shows that the Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService function obtains screenshot data and converts it into bitmap format.
Behaviors detected by Quark:
Extract screenshot data to bitmap format (#00238)
2. Simulate user gestures
The behavior map shows that the Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/Perfct;clickByGesture function simulates user finger gestures on a mobile phone.
Behaviors detected by Quark:
Simulate user gestures (#00240)
3. Log user input
The behavior map shows that the Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService;checkPassword function obtains the description of a UI element. It also calls the Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/FileUtils;writeText to log the data to a file. If the UI element is a keypad button on the lock screen, the user’s password can be logged.
Behaviors detected by Quark:
Get the description of a UI element (#00241)
Write data to a file (#00242)
4. Communicate with C2 servers
The behavior map shows that the Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/hlshzietuthuztzpsjgswpikkmwdxkiqxbzdseqdoywzyerfhi4/CameraHandler$1;run function establishes a connection to an IP address, which could be a malicious C2 server.
Behaviors detected by Quark:
Establish a connection to an IP address (#00239)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
059b5f74e053c2966775157cd521580fcfaa3b1a7613560b8f499dbd9c11d4b4 |
2 |
0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b |
3 |
4b2b411e03aafaa19ea93286fadd39a5134f4a039db2d5019b1054547c0d5601 |
4 |
5c01f7727c78dea9c89dccf92b01b4c45e69406e6462340779401497bf4d4589 |
5 |
8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e |
6 |
da4f59bdc91eaeaba238a8ba9602f7d5cc75f0892a92f5422e23b55accbbb2f0 |
7 |
dd7650a9cd3f853e109d2d0138ede785e1559d6c2d8c52eec2f2d9808a924f1c |
8 |
dee1eaaa8879a7d321ef4e698203be7b23eeda80a6dea3c70cbf3138597b1800 |
9 |
f46b863952599b91a4d2d682a80f345dfa03fad473d1938f2c53a3139c87a019 |
10 |
eec5096dfca6824317863f9225c29f6c4b3442c48fefa62dc382e3569bca5a60 |
New Quark Rules For DawDropper
New Quark rules (#243 - #245) are now available. These rules target DawDropper, a malware family that downloads and installs additional APKs. Check here for the rule details.
With these rules, Quark is now able to identify the DawDropper malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a DawDropper sample (a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify two well-known threats from DawDropper, as shown below.
1. Download APKs from remote servers
The behavior map shows that the Lcom/techmediapro/photoediting/core/MainActivity;N0 function downloads a file from a URL. If the URL points to an APK, it indicates that the function downloads an additional APK from a remote server.
Behaviors detected by Quark:
Connect to a URL and read data from it (#00243)
Write data to a file (#00244)
2. Install additional APKs
The behavior map shows that the Lcom/techmediapro/photoediting/core/MainActivity;S0 function installs additional APKs.
Behaviors detected by Quark:
Install other APKs from file (#00245)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 |
2 |
02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 |
3 |
05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 |
4 |
71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d |
5 |
77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa |
6 |
8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 |
7 |
9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 |
8 |
a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb |
9 |
b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 |
10 |
d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 |
New Quark Rules For SLocker
New Quark rule (#246) is now available. This rule targets SLocker, a malware family that locks the device with an overlay screen. Check here for the rule details.
With this rule, Quark is now able to identify the SLocker malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a SLocker sample (570e2811e8c87f714eb3485c271ec03b9de699c6b7f67e858a24396ce5f7b69e). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 1 well-known threat from SLocker, as shown below.
1. Lock the device with an overlay screen
The behavior map reveals that the Lcom/lololo/LockService;onCreate function creates an overlay window on top of other applications. By configuring the window to occupy the entire screen, the APK can block all user interactions and lock the device.
The behavior detected by Quark:
Create an overlay window on top of other applications (#00246)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
35c39da84abfc8d8b89389524d6e203d91e5af8004720c60f13b492e14ddde56 |
2 |
570e2811e8c87f714eb3485c271ec03b9de699c6b7f67e858a24396ce5f7b69e |
3 |
88b86662dd1653845985544299fd8cc732f49c72d63c86ea3ffb7bb3b3249138 |
4 |
8ec195cd1f5c9f66c75000f26120832d7e1a9044fe3699d18d676bd5739b8518 |
5 |
9cc9fba099c35d65638f521e5a1d748ea432b64d82fe9732cfc52f8b57d3dffd |
6 |
9e875f82515cc6b27367ae20ef52b9e0d7476bf8bda91e2ba0d888cf0857311f |
7 |
a60082e481d6873103537e136b7b14a7892cd1205593d64567a448453eff4a6a |
8 |
b5ab87692109c072cc277246e957ab32cfce6973f9f06c609ba51b53114cce51 |
9 |
df091031ed5073de09158b3afcf1fb956d1f337a66e552e9d3458ed5f5f6edb1 |
10 |
e504ff4501da2412758babadabb05a761ae6edacd043d68334e384d94fe4f4ac |
11 |
f3fcd84b4e92a52ae5b30df003b911f21b2ea4325f788d5a5decc08582d3fd40 |
New Quark Rules For PhantomCard
New Quark rules (#247 - #251) are now available. These rules target PhantomCard, a malware family that communicates with C2 servers, reads the payment data of NFC cards, and captures PINs of NFC cards through deceptive screens. Check here for the rule details.
With these rules, Quark is now able to identify the PhantomCard malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.
Below is a summary report of a PhantomCard sample (5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
Identified Well-Known Threats
With Quark’s rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from PhantomCard, as shown below.
1. Communicate with C2 servers
The behavior map reveals that the Ls1/j;doInBackground function establishes a connection to an IP address, which could be a malicious C2 server.
Behaviors detected by Quark:
Establish a connection to an IP address (#00247)
2. Read the payment data of NFC cards
The behavior map reveals that the Lt1/c;b function establishes a connection to an NFC card and reads the payment data stored in it.
Behaviors detected by Quark:
Establish a connection to an NFC card (#00248)
Read the payment data stored in an NFC card (#00249)
3. Captures PINs of NFC cards through deceptive screens
The behavior map reveals that the Le/r;onReceive function creates a UI layout and listens for user clicks on a UI element. If the UI layout is deceptive, users could be deceived into entering their NFC card PINs. Subsequently, the app could harvest the PINs by listening for user clicks on UI elements such as keypad buttons.
Behaviors detected by Quark:
Create a UI layout from XML (#00250)
Listen for user clicks on a UI element (#00251)
List of Tested APKs
The table below lists the APKs we tested.
index |
sha256 |
|---|---|
1 |
0d5fd1997ecb76a167df753d5cce7688dfd0d813c028c9644025da352af77b7d |
2 |
21c66fe505f2bcd7b29d413189920b3a85df48da0ecf4eb6962d6a504a7fdcd8 |
3 |
2922fcf373e2caf3588266cfafeaafbc74304c81d024315d279f0ea537adc1b6 |
4 |
360966ad8752d040e9aaae5cb4a5913e6f85edcf56ecfeb8246729b45d0e6c78 |
5 |
5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332 |
6 |
a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f |
7 |
ab2906d88e4f64ec0784ef8fdf132bb7ca9a914c037c3b731803f3adfd7a8f66 |
8 |
cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667 |
9 |
d3f863757e946d117ee7c7b50e480264a2ff1a08e7925bd2de3e6c43182868ed |
10 |
e27579b92fcad2f4fe96db7b5e7a7cdc41754a7cd126fcaf598d3f8d8c21c0f5 |