##################################### Quark Android Malware Analysis Report ##################################### New Quark Rules For DroidKungFu =============================== New Quark rules (#00212 - #00233) are now available. These rules target `DroidKungFu `__, a malware family that gains unlimited access to a device, installs and uninstalls Apps, and forwards confidential data. Check `here `__ for the rule details. With these rules, Quark is now able to identify the DroidKungFu malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Check :ref:`here ` for the APKs we tested. Below is a summary report of a DroidKungFu sample (``D277C97B1A8A78F859672B4A20E74B3313E9F964E68A6E857C1E9D33763434A5``). The report shows that Quark identified the sample as **high-risk** and provided a list of the sample's behaviors. .. image:: https://cdn.imgpile.com/f/dna1NWm_xl.png Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from DroidKungFu, as shown below. **1. Gain unlimited access to a device** .. image:: https://cdn.imgpile.com/f/4nCi9mL_xl.png The diagram shows that the ``Lcom/google/update/UpdateService;getPermission2`` function runs shell scripts and Linux commands directly, and also calls the ``Lcom/google/update/Utils;oldrun`` function to execute additional commands. Behaviors detected by Quark: * Run shell script (#00069) * Execute Linux commands (#00068, #00155) **2. Install/Uninstall additional apps** .. image:: https://cdn.imgpile.com/f/jpAr3Tm_xl.png The diagram shows that the ``Lcom/waps/k;a`` function installs APKs from a file, and calls the ``Lcom/waps/l;a`` function to install more APKs and the ``Lcom/waps/k;b`` function to connect to a URL. Behaviors detected by Quark: * Install other APKs from file (#00054) * Connect to a URL and set request method (#00096) **3. Forward confidential data** .. image:: https://cdn.imgpile.com/f/TsURgyN_xl.png The diagram shows that the ``Lcom/madhouse/android/ads/_;_`` function queries confidential data such as SMS and call logs and also calls the ``Lcom/madhouse/android/ads/_;__`` function to check for network connectivity. Behaviors detected by Quark: * Query confidential data (#00077, #00219, #00221) * Check for network connectivity (#00224, #00226) .. _list-of-tested-apks-droidkungfu: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-----+----------------------------------------------------------------+ | in | sha256 | | dex | | +=====+================================================================+ | 1 | 27 | | | A63D6412B3459E821D88A8EF133727B8DDA99262CEC71C9989EC28E394F173 | +-----+----------------------------------------------------------------+ | 2 | C3 | | | B0FF9C168FCDB02573AF741FC1E9B9E3EEA993A5407CFCF0BB29E0800760BE | +-----+----------------------------------------------------------------+ | 3 | E1 | | | 0A9E9A5758F04975FFE930AF08A339B897FF72DF85BE1707184C697C0E954F | +-----+----------------------------------------------------------------+ | 4 | 2C | | | 6B542B30C644BE1840E38EB8ED4592B671E4734C08FE57B315B92299B23A4A | +-----+----------------------------------------------------------------+ | 5 | 1E | | | C91FF1EA8ACCBC4181F3DF94C6A285013EC7A7D60467DEB9250E7681F4B73C | +-----+----------------------------------------------------------------+ | 6 | 20 | | | 639CFB1369F3D490ED532FE30E294ED4058B7D67C426484D7028B7B2B165E5 | +-----+----------------------------------------------------------------+ | 7 | 5F | | | 7A40015A1F3F42802424EC776799F5E0960F19E9BF8C86298AA5CFAC116BF6 | +-----+----------------------------------------------------------------+ | 8 | E2 | | | BC4E09BA57740C17F033F6B116EC0316771EF8C1DCB99145EEAC17F15FF2FA | +-----+----------------------------------------------------------------+ | 9 | 7F | | | 027D19AD8FCD2F4C6A6C74742DED6D1D7758FCD72BDD8B5590053BE65A1D2D | +-----+----------------------------------------------------------------+ | 10 | 21 | | | D4EB1ADA6CA0925AB8E21D30BFF8A40E88BC60773700B003C048BF8619E75E | +-----+----------------------------------------------------------------+ | 11 | 73 | | | A27FCF9FDE6D7EBC39F4995BD7DAA4F433C37314C0016D75C50CC39AE7A785 | +-----+----------------------------------------------------------------+ | 12 | 4E | | | A68DEB209A29ED0B1FA7F7555006DEC050D8F77CF5820B550E32E5A6F6F88C | +-----+----------------------------------------------------------------+ | 13 | E6 | | | 440A1AB96884C44250F2DB53618FC6762DD13EEBC59D1095F1E188D40C68E4 | +-----+----------------------------------------------------------------+ | 14 | C1 | | | 7D0979882468CCC26FDE81F5C6F0DDFB602F9AB9D3C92AC355C8D87A585380 | +-----+----------------------------------------------------------------+ | 15 | 47 | | | 7C68553FF88F831026E8842FE99FE14B2DDF08821A0CA3072B7EDBC872A292 | +-----+----------------------------------------------------------------+ | 16 | B4 | | | 098AE6205E3808A6B79495B2027452A7B8191200402F8BA32DBA0EAB21EA99 | +-----+----------------------------------------------------------------+ | 17 | 39 | | | 3456E6368079F36DC0CEA861361F976A5CD6A3191B69E49CFD6BF4692DC57E | +-----+----------------------------------------------------------------+ | 18 | 16 | | | A0C217F26C948D683B515CBB9E06CC0AAC422A951CE9E9E532D7A571152D2F | +-----+----------------------------------------------------------------+ | 19 | D2 | | | 77C97B1A8A78F859672B4A20E74B3313E9F964E68A6E857C1E9D33763434A5 | +-----+----------------------------------------------------------------+ | 20 | 51 | | | BFB82709E927D65770E5C59AB6EB96B73B19525E127F60A25831CD2B8AEE82 | +-----+----------------------------------------------------------------+ | 21 | C0 | | | 8539123E1F40439E0DB7DDEEDD6BF6B079AB5E62B2208E22884B28306C1CCA | +-----+----------------------------------------------------------------+ | 22 | 15 | | | D1FDC4B27509DF6D31F851675D03A21939A165B2011BFE0DB5EEA69BBB6B3D | +-----+----------------------------------------------------------------+ | 23 | 94 | | | BC85F5458E313AA138C9F4E4B8ED3AB8642694A07427B80441B8A538EC462C | +-----+----------------------------------------------------------------+ | 24 | 41 | | | DD548C530516448CB6A28DA67407725163F9620D92A35F8735FA4135ECC0A2 | +-----+----------------------------------------------------------------+ | 25 | A8 | | | 7C8FE4D821CB2B15FB4E1ADDF63E88DE7D09D37178A910C9221EA979C16F81 | +-----+----------------------------------------------------------------+ | 26 | 3B | | | 736A91DCA7AE8608C2174AD589400D3FD5FAE55A395920841A49EB10657A37 | +-----+----------------------------------------------------------------+ | 27 | 80 | | | 0A8CFF0C559C9478E6941B5E0B30E3848E8A0F9246C8E0C1A34A1459288D68 | +-----+----------------------------------------------------------------+ | 28 | BE | | | DF51A5732D94C173BCD8ED918333954F5A78307C2A2F064B97B43278330F54 | +-----+----------------------------------------------------------------+ | 29 | E2 | | | 0D4994C8A13854CD835919F5620A9B6217AC444016F9E97C3E9C3464E2F5CB | +-----+----------------------------------------------------------------+ | 30 | AB | | | 0A824F00E4AEE68A17DAD86182B6FFE83D6D7D07D572D31183CF4A8C1723DA | +-----+----------------------------------------------------------------+ | 31 | AE | | | BB5050F17588F0D3936B1B13BF7DCD856A7ACD8DB107C4853E7A9058D2A0CA | +-----+----------------------------------------------------------------+ | 32 | AF | | | 33315DFBF3ED5A0D28E8ED03A79D20C3B77B16129CCA9439BB4CBDDCA076E2 | +-----+----------------------------------------------------------------+ | 33 | 0A | | | E6CECB96E4515F4536EFC711D583A447FFFDF2BCD4E04D2F4A0347F63E40EA | +-----+----------------------------------------------------------------+ | 34 | 3C | | | 81C9DF7CE0F94918CD0B833B070DFBBCEACF8688824AFBC6344E975EDFEB24 | +-----+----------------------------------------------------------------+ | 35 | C5 | | | C508FD88D058F5E2B3ABC2A066C52C1FAFB148F27000C47DA859945F771512 | +-----+----------------------------------------------------------------+ | 36 | FE | | | 98A9B6D1ACF4E2B52CAF0015E90B9FAB856B0C0AA581D526F3D2951B2F7904 | +-----+----------------------------------------------------------------+ | 37 | BA | | | 949E090EAB02005F9B1823B59AA4329017EA2441E81734F4827B3822C9704E | +-----+----------------------------------------------------------------+ | 38 | B6 | | | BF9FACFA89990ADF7F01D561875AC54D7577CA351D0C23D69B5E83E376963E | +-----+----------------------------------------------------------------+ | 39 | 2A | | | 93EB58C737572DD375A36F8A5397140C815DCAE05DC80DAFAAD4B3981A91B6 | +-----+----------------------------------------------------------------+ | 40 | D2 | | | E2396D8F6052E551E84CC69A97DB7D3D08DF9B3AA40C0070A7CE96B33622C8 | +-----+----------------------------------------------------------------+ | 41 | 25 | | | BE589140F73949124F08759AB5BB57B126396F1401E3BFBFDC5E5C056E0D03 | +-----+----------------------------------------------------------------+ | 42 | 41 | | | BD9843692B7421B2FBCEAC3C2F6AF3CE9C92339C10D43898E7E072B8E28BE3 | +-----+----------------------------------------------------------------+ | 43 | 3A | | | C65392A5E371D1FF5C7A2CBF580A4F3C2A5B36E11C01601D6B38D715C2A74B | +-----+----------------------------------------------------------------+ | 44 | 5D | | | 3A915B34D0925B9EA4A7E33E8E70A428B22CE57CD17CFB20DF37F463502B82 | +-----+----------------------------------------------------------------+ | 45 | 94 | | | A96E66ABC0ACEF751AF0C2140AE7CAD05E434609EB56FE6A6E6602FFE3E4B9 | +-----+----------------------------------------------------------------+ | 46 | 67 | | | E794151DD32338E0B1935A77ACA5B9A8D87C12C7A088326C2E9F2FFF048279 | +-----+----------------------------------------------------------------+ | 47 | 40 | | | BA6610360FFFE5BAFEE8504751C78B5AF3B913DA1C2D4AE97AEEA156E5510B | +-----+----------------------------------------------------------------+ | 48 | 19 | | | 7041741B0DD2FACE3C01A2FE82AC697A6B6B801B7DC2D3579DA7BBF56ACD73 | +-----+----------------------------------------------------------------+ | 49 | 8C | | | 5130774E5F1E8F6A0A16281A5AF22C5AC1FCD46DE907667714760ECB76F7EC | +-----+----------------------------------------------------------------+ | 50 | 86 | | | FDE6F59EF9A8F762AF7BB62DFC4467CA9BD3ACC63E50E5AB78A7B4487ED70D | +-----+----------------------------------------------------------------+ | 51 | 0B | | | 33469936791DB785E8546BB752AA75DE4C3227293A4237249DBD05FC12D039 | +-----+----------------------------------------------------------------+ | 52 | 25 | | | 061C50965D05E98E409E3A07FE4CE4825A9DACFF46A79FE57EDA7BFD184DEA | +-----+----------------------------------------------------------------+ | 53 | D2 | | | 187491BAD25E07B6817CDD3F044466B8FE2BE63D255DA2FE7CA58E8C8C6321 | +-----+----------------------------------------------------------------+ | 54 | 44 | | | 6A635890947E7956D5E8DD10C758A733144D573528153D6F5AFD0DD038BFC4 | +-----+----------------------------------------------------------------+ | 55 | DB | | | 104CAC9471650E5E5AF54E14C80F6247E16923E78E41DFAEED42F28CF5C523 | +-----+----------------------------------------------------------------+ | 56 | 42 | | | 69E9F03F43D82DF992B417E961554CAECB80D06CA3B0C1B847A09FD257901F | +-----+----------------------------------------------------------------+ | 57 | C3 | | | 1BC398066441E6FDB5F98EE6A4529D6F51925F4951EA679C028E50D0CAD950 | +-----+----------------------------------------------------------------+ | 58 | EC | | | 6212709ED75DEFC848626D2888B685AEAFC4FFD655AD830557F9994E8995F3 | +-----+----------------------------------------------------------------+ | 59 | 66 | | | BB9310F7063CC3B12F803D2C809C1DB46AB29F229599BE81728C432C208C9F | +-----+----------------------------------------------------------------+ | 60 | BA | | | A24D27A78F0641ACF806BD03722AA47F1DCBC42F1CCA04B14B0118E398F94A | +-----+----------------------------------------------------------------+ | 61 | AC | | | 5E59080E8E951AA5C62038D606E2BD3F8A20C0552F8E1B326B407D4BDCAA15 | +-----+----------------------------------------------------------------+ | 62 | 82 | | | 3EE1A0F81C0067F804B3F2497E8268A677C76D90DDD261A910CFE8D116897D | +-----+----------------------------------------------------------------+ | 63 | F3 | | | F52121296119FF32C334075EA80B74495FDE648A7204BED66268B285FBF199 | +-----+----------------------------------------------------------------+ | 64 | 0D | | | 9CB8010681D5F35969FB84F96FFCC53DD0B37AEE62F522C2972BEBF2759F02 | +-----+----------------------------------------------------------------+ | 65 | 03 | | | 259A1228E3AD616F10C2370B8C142A8D20132505FBC5CDB5137322A8A03FC6 | +-----+----------------------------------------------------------------+ | 66 | 8C | | | B684F1C8FDA8D16E9399F9B75AE1972888BA4398EEE1A7BAAB311DAEAD5F0E | +-----+----------------------------------------------------------------+ | 67 | 27 | | | B02028221B1AE647BD749EF916AC4D0AD39BA3C961ECD1AE37DF7988488225 | +-----+----------------------------------------------------------------+ | 68 | 56 | | | 628C603FDB1F33FDB8E53D796919F5385A9BAC31E3217A20F2E7531543CBD2 | +-----+----------------------------------------------------------------+ | 69 | 00 | | | 621E015191863041E78726B863B7E1374B17FDA690367878D1272B0E44B232 | +-----+----------------------------------------------------------------+ | 70 | 4D | | | 62CFEE89DFC4451BDA6FC9E6C09189B6BAD089E2E97E36084FD0E910363D76 | +-----+----------------------------------------------------------------+ | 71 | 04 | | | 9D5D5E6DDA98F512E0A9FD2D8E3299BB16ADFB63D95033ED6A839588D14425 | +-----+----------------------------------------------------------------+ | 72 | 64 | | | AB7A8E612D8D60C1C4CC8CE1B4ACE4AAFCEC7E1F5239894F2B214B094FA1B1 | +-----+----------------------------------------------------------------+ | 73 | 3E | | | 38E7FF5776548DA0FA1AFF91B364B338D5D7D51E6CB4E3ABFE2FF4B9BF985A | +-----+----------------------------------------------------------------+ | 74 | 3E | | | BB4C2BC959080EB9BA2328D10610B59E77892667F8CC5794479F0625E283EC | +-----+----------------------------------------------------------------+ | 75 | 4D | | | C7570244C38A690BCA52A8DA1B9108C7A0EE214FBC0A972725D43C8C78FA9A | +-----+----------------------------------------------------------------+ | 76 | EB | | | 2F047FE3AEA452F1867EC57FAE2E4E853652FE9CBABDD995A11C6FEC0D6500 | +-----+----------------------------------------------------------------+ | 77 | 1B | | | 7F0C198CB2278218B177F79F16D8C8CE9D7E46E2E65D2B6ACD61A3BA8C455A | +-----+----------------------------------------------------------------+ | 78 | 8E | | | 6DFA5676DAD428FD3BB767D33B74920D4B3E5D51821A1501D0ADC35B834A50 | +-----+----------------------------------------------------------------+ | 79 | 24 | | | CCB1BF995EEE442CC4BB86828795BEB0043CA5BF694B3765FBBDA7F69F4E40 | +-----+----------------------------------------------------------------+ | 80 | E7 | | | 0FB0052314184463A9F7D194DEE438FA381C6584B8009F178785E0E8CC5D66 | +-----+----------------------------------------------------------------+ | 81 | BA | | | F7340F3F1FD943A0A0E79FF59CAD5362D1BA45F05EB172A6730455F8CD55FA | +-----+----------------------------------------------------------------+ | 82 | CD | | | 3AF68A6C2D93D0261962F50F8DBBB9D72BF952A88414B33DDA49C613DBD8B5 | +-----+----------------------------------------------------------------+ | 83 | BA | | | 14BC0202CF321F4368E0DEE08E67CC7B55AC3A03AAF1726E03C4CC0AB44F02 | +-----+----------------------------------------------------------------+ | 84 | 05 | | | C68734C04460DFF87618C0065457788EDCAD84C23F32113B156A963290D917 | +-----+----------------------------------------------------------------+ | 85 | 09 | | | B952BB0E499EA71E042F6984E6E7632FE1B2F646E212E16468B54A7D0E4253 | +-----+----------------------------------------------------------------+ | 86 | 70 | | | 3B9C40116A1AF70522933D25B72E85863EF177F937B28CE82C048928C83379 | +-----+----------------------------------------------------------------+ | 87 | 97 | | | CE153A87917E46907CE3C43328FA398BADA713ADF9DF7A756174EE8C7F50E5 | +-----+----------------------------------------------------------------+ | 88 | A5 | | | 706AD49019EF9671242437834A492170F6DDBBD11DF2BE8D0C7F0477530CBE | +-----+----------------------------------------------------------------+ | 89 | 4F | | | FF4F4F98197ACD4A943ACEDE362D4C64F9D20EE5E64F7D0F4E66F3DD08FBBC | +-----+----------------------------------------------------------------+ | 90 | 54 | | | F84DBB2A95A53AF72E7346CBE139BDEA1759C92C50AD202B66E8F6D548D876 | +-----+----------------------------------------------------------------+ | 91 | 93 | | | BC7CAE3DC7ECAFB01A9D136A7D24E280673F7DDE1B30F545E1FE2646E8A66C | +-----+----------------------------------------------------------------+ | 92 | 66 | | | ACC04320B125B0974DF859850C1A5B2B9C2B58768CBAB83A93BA955FA9287F | +-----+----------------------------------------------------------------+ | 93 | C5 | | | EA7E9101DCE70C56A0F48B622FCFF619D615F5034B15D21BDB7F40B74602CF | +-----+----------------------------------------------------------------+ | 94 | 14 | | | F44E244274BF9A698960DAA82D98D3FD66AC7E8FE6F7F9916F164E468C30A7 | +-----+----------------------------------------------------------------+ | 95 | 0F | | | 2931043C240C14DE48C7A6630752474C3FE5A87A5113F13851CFE8D14754DC | +-----+----------------------------------------------------------------+ | 96 | 1C | | | 5A89EB4638229DD8DC6D4F55BCAC8D565D2FEF20F6BEFE52270D50973B6151 | +-----+----------------------------------------------------------------+ | 97 | A1 | | | F98073B0D39B6E3A981D7DB2C528CC9B88A4CC207350F4467916F265D0244F | +-----+----------------------------------------------------------------+ | 98 | A1 | | | 28DE003C61B08C439F181253A5C8882DE1C48F517B0B0BF6B18614D11E2674 | +-----+----------------------------------------------------------------+ | 99 | D6 | | | 95B7310BED20E3AE00C0C4754039C3BB095062F4D746897BDF417444F454C9 | +-----+----------------------------------------------------------------+ | 100 | F5 | | | 2BD07D3457B69720C9A54BE5730545BFCC80269BE749FACA723906A303AD33 | +-----+----------------------------------------------------------------+ | 101 | B4 | | | 524506739CBF40D3C823D716FA2DEB9ACE38C199CF0F7661FE8DDF688953E6 | +-----+----------------------------------------------------------------+ | 102 | 43 | | | 567A80FB8122F77E1CF72CFD898A6B9BFDC18F27EBE716C444143E03630200 | +-----+----------------------------------------------------------------+ | 103 | 22 | | | 20A2EBB3068D1C912189CA6F8E89D0E63836E40A75F5E5C2B7B99A498E7CBA | +-----+----------------------------------------------------------------+ | 104 | E5 | | | 8BF56343D6A44B0D863534426109B348673C76EC433BF310E638F34EB786B7 | +-----+----------------------------------------------------------------+ | 105 | 30 | | | 866091584856AC8A7F353172C3D9B0643602F351BE56BA92B4AB2DFD68230D | +-----+----------------------------------------------------------------+ | 106 | 1E | | | 1D93EDC231E7F2FAE9ABB825640E803137A1A672B9D5E93BDFA6D7E8F57DCE | +-----+----------------------------------------------------------------+ | 107 | 3D | | | 210599B3EE6C84D9D8FCB236C02394D24974EE3E0FE2D03B013D538E611CE1 | +-----+----------------------------------------------------------------+ | 108 | 51 | | | 07DEDE507180C8458C4E5F87E27F580521F365A54D9E71286ACF0E54DB9E1E | +-----+----------------------------------------------------------------+ | 109 | 5D | | | 5624B266E294C0DC7673D2FB8E126EC559D37CEC74C5508D8E6674377EF107 | +-----+----------------------------------------------------------------+ | 110 | DA | | | 2EE0B84AC470986543ACCA1F4C51DEF534D23F04E39F0DD85CCCBA45232738 | +-----+----------------------------------------------------------------+ | 111 | 72 | | | 865ADB5BAFDA646F6F60834E0462E1626C88F075E4161F3CE0EBF217D6C4CB | +-----+----------------------------------------------------------------+ | 112 | 8E | | | A992D99898B26E014F82C475F605D90BF0828CFE244922197020B62147B55C | +-----+----------------------------------------------------------------+ | 113 | 45 | | | 36BF0914B3D76047AEB6EA92F21D0CB7561F68DAE870DB3F6DE9FD7420B785 | +-----+----------------------------------------------------------------+ | 114 | CA | | | 8EB1155C2F5B33822B906F2255CDEAC0EEAD86A58F151C11BD5003458CFCA1 | +-----+----------------------------------------------------------------+ | 115 | 00 | | | 1E0F67B5BB9DDAB14FACBEF94791EAED0EB939BCB651D19DAFD0E2A05D8178 | +-----+----------------------------------------------------------------+ | 116 | 37 | | | C1F16781B2399019AAF2525834ADFE00592F1C62D07D1B0C91A40E11D1B80C | +-----+----------------------------------------------------------------+ | 117 | F1 | | | 57946D3868FBE013EC23B14F1097BB727654B4F3926322F035E86E3F5F637E | +-----+----------------------------------------------------------------+ | 118 | E9 | | | 484114F77952ECE8234927BCC865886938C41F4F4657741F01B22A214E10FA | +-----+----------------------------------------------------------------+ | 119 | B0 | | | CCDE6A945212ED23F3E85CD861D73A42A98C53D63237CD3C0EB67DDA57BDBC | +-----+----------------------------------------------------------------+ | 120 | C9 | | | 07757169BBE2A5FA05080B75E5E273F0EF02B06552BF4DF3C386096FEFDD20 | +-----+----------------------------------------------------------------+ | 121 | 0F | | | A18A95361BBF4413A9B734B540F52C6BD2411090DEC4D7E3DB6708FEDC68AE | +-----+----------------------------------------------------------------+ | 122 | 6E | | | D52331A788EF18727C8E34746B59DB81ACDB261659934BE63B0266FB7C19E7 | +-----+----------------------------------------------------------------+ | 123 | BC | | | E128DBE9A75CCADE50ECAD2E52499F67E58479ECD69861B3D117984DF47136 | +-----+----------------------------------------------------------------+ | 124 | AB | | | 4B4D65A4C7CB3AAFBB7E6630830393D43E619881DA76EE06760466FB79E894 | +-----+----------------------------------------------------------------+ | 125 | 87 | | | 7BBED1EC7BA716D70754F6F015C950217FA16F6EA70833B0196C7C560B8239 | +-----+----------------------------------------------------------------+ | 126 | 00 | | | 15AE7C27688D45F79170DCEA16131CE557912A1A0C5F3B6B0465EE0774A452 | +-----+----------------------------------------------------------------+ | 127 | B2 | | | 4B268C7C9574BB5FFA48C239F77089BD14BA3EA8B6DDE3DA42958569477D01 | +-----+----------------------------------------------------------------+ | 128 | 38 | | | 070B4D027E0256E6B8538384E374E14D7F8006920A60E9BB9238CD45855CC6 | +-----+----------------------------------------------------------------+ | 129 | 7B | | | 5338E1E7BF8B4816B821DB9ED042ED13CE4F8EBD1748BA9788B070E45BF03D | +-----+----------------------------------------------------------------+ | 130 | 4F | | | 1CBB091DCDE0CD0E8FE0D4BD27134750BAC6711029E0A37179832AD3698EA9 | +-----+----------------------------------------------------------------+ | 131 | E2 | | | 6656A75FB347F317ACC7A670F8D16DD4C4433691443A77B46C84B9E3A0FB66 | +-----+----------------------------------------------------------------+ | 132 | B9 | | | 0564F3809FC8B0B0CE1CBC53DBFF6C6A293BCFCC5EF7821E28BF87262FB9FD | +-----+----------------------------------------------------------------+ | 133 | EE | | | 21782BF346B26411CB00CA83F91AA18C01CF67086D500E66672A0DE046FFAD | +-----+----------------------------------------------------------------+ | 134 | 24 | | | 2A0048497BCBDEB4D1A5A43DF08E492BFD42B0B85FF63B2C2A49AD5EA50829 | +-----+----------------------------------------------------------------+ | 135 | 53 | | | 702B51E102AC3AD7C859019B8640B88D65B3D6008825ACA2D1FCB80B2FA845 | +-----+----------------------------------------------------------------+ | 136 | FA | | | E5B82A8DDD7C6EA2B417711E7D0FF8EE02244B7FF9980BCDADFB940EC85096 | +-----+----------------------------------------------------------------+ | 137 | 0F | | | CE8643A036D954E75ECA205B2EBA45629C999AA13ABF8896B4BBC07B0BCFA7 | +-----+----------------------------------------------------------------+ | 138 | D3 | | | 4E040FD052963C9348B8AF50B415419216BE1A00DBF25C7F7B86545EF84C7C | +-----+----------------------------------------------------------------+ | 139 | 9C | | | 6724919CAF4DC134AACF828A62663084DDCD6459FD1249DF36BCFFC7EF2EBB | +-----+----------------------------------------------------------------+ | 140 | 91 | | | 84D161D1931A58CFA091569CDE481FCC87AA3A4D32C24622A29EAEA5FC3EEE | +-----+----------------------------------------------------------------+ | 141 | C9 | | | 2E7ABD460FF39CB41709416959366739B08006DC2EEA05E367981F9578E6B0 | +-----+----------------------------------------------------------------+ | 142 | B3 | | | 27C0BBB16C9ADCD566877AC29DC0B0EDCFF9E654DAD66C514B19877A45B6C8 | +-----+----------------------------------------------------------------+ | 143 | 62 | | | 923018BFCFB2AD1F05EDE135024EDBBADB20DFF9F816EC3F846B2900636ACF | +-----+----------------------------------------------------------------+ | 144 | 2B | | | AF6E70672789096752383F0DFDA9774A3FEF55CD64C5AD7FE5CE02F4BEB8FB | +-----+----------------------------------------------------------------+ | 145 | 72 | | | E6AE9CD081F8D38488CF4077F66DB0F97CEF486A60EB38C593BA82DB77ECD8 | +-----+----------------------------------------------------------------+ | 146 | F6 | | | EB0EB6FDBB4A1615050F59EB6FAE8F999824E5D65CE1A437761FE7BE4B8215 | +-----+----------------------------------------------------------------+ | 147 | F7 | | | B038B441E051B3BCC6F40964C215F61A3A226EF3A1B8D58A36E135115DBCFE | +-----+----------------------------------------------------------------+ | 148 | 73 | | | 5F5724975302D23C7CCB6F69C0AB4C64F3E63AF38E828E302DCE79FB08593A | +-----+----------------------------------------------------------------+ | 149 | 80 | | | 612FE193401626268553C54A865E67B76311E782005EDE2BA7A87A5D637420 | +-----+----------------------------------------------------------------+ | 150 | 93 | | | 8EFB5BDC96D353B28AF57DA2021B6A3C5A64452067059BF50D7FB7C7A66426 | +-----+----------------------------------------------------------------+ | 151 | 84 | | | C7A452E72ABC4EAA51AD8F3569A6E10365804A963FA61C034FD1F3DC846957 | +-----+----------------------------------------------------------------+ | 152 | 07 | | | FEAA0E04E56CB3CCD06FD7902A9D9CEC48DFD901BD6D5E07ADE81448DCC5D6 | +-----+----------------------------------------------------------------+ | 153 | 64 | | | 47ED2ABE5AB3827C519BC1EB732159FFE284BE73B8780F294F562996DC9C47 | +-----+----------------------------------------------------------------+ | 154 | 51 | | | 37EDD9FA6E73BE3B5C14C50FAF0B6602C7A155E30A931D2A98B31AC1E021C9 | +-----+----------------------------------------------------------------+ | 155 | 53 | | | B1523A8F52D3C924043B93AC44FB96F2D496D1C054D873E62B5BC9644B1B52 | +-----+----------------------------------------------------------------+ | 156 | D7 | | | D47ABC80CDBC7D0AEDF9B8E863E28F0B79CA47D71155A3D364EF096DF98D7E | +-----+----------------------------------------------------------------+ | 157 | AC | | | 48E0526730A611D363AE5DBFD2F3AA4296BD71C66E13B9DB3D272B754EDCD9 | +-----+----------------------------------------------------------------+ | 158 | 42 | | | 2B2A9F8547E4239E1BB508359872C6365B42ECC460C82A0FABAC04F2E44808 | +-----+----------------------------------------------------------------+ | 159 | 7D | | | 4FD317B9E19AF2BBC5B707C3CCCA5D504B11371D10E3CBAF0AB4E56D0ACAB0 | +-----+----------------------------------------------------------------+ | 160 | D5 | | | C60074995C0AA0842AEF02269C8567F8B59902E4AADB865C69CB3738D9051F | +-----+----------------------------------------------------------------+ | 161 | C8 | | | B6CC0BA9DDD2206FD35AA3AD379B169DEBFE223A0EE0E5AA28DA1AA683343C | +-----+----------------------------------------------------------------+ | 162 | 92 | | | 1F76D6153E86E480A1FE309A19DA4F75B85BC3F85F3826694977CD2046F0A3 | +-----+----------------------------------------------------------------+ | 163 | C7 | | | C46F7E5F58B1E6912BC0638475840741CAED5685AF0AB6B563A637B92D41A3 | +-----+----------------------------------------------------------------+ | 164 | 37 | | | D382FAAFCAAD6F8BF5DA383CB8703B7094A045AEAC5E13B5F4225C6272A615 | +-----+----------------------------------------------------------------+ | 165 | 65 | | | CEFD92274FB4AF9F33728F8759A6BE835C7550B96EDAB798787CBB8EC95FB3 | +-----+----------------------------------------------------------------+ | 166 | 28 | | | 7E705784FE12335E9355C20F8BC8072A7A6A87DEA751CE471CCE37D426E9F0 | +-----+----------------------------------------------------------------+ | 167 | AE | | | F39A6FAEB83695C7D97B93E6BC550D0AED93EFE886E651A1610DD8B2ED013A | +-----+----------------------------------------------------------------+ | 168 | CB | | | D9BA3E8D82F9D475C81BC3C057C19869810B2CD47E6EDBF392B4A7612F8239 | +-----+----------------------------------------------------------------+ | 169 | 51 | | | F16E4D41EC420E8520220D44B0088C81619014896BE524F411B718E730A33F | +-----+----------------------------------------------------------------+ | 170 | CF | | | 997FE5C0AB00EA447EE13F7DEEC8E97EFE412F65355448F04565A1F7AC0E72 | +-----+----------------------------------------------------------------+ | 171 | E4 | | | EB02B2D64D33E4C0536406BFC9A6D8FCC6B5237642D92333EE3E089BD82723 | +-----+----------------------------------------------------------------+ | 172 | 5B | | | 8D52ABE9FA8E849A89CF87F90CB07E77BB429E0FE5F518873C8B26EE231A87 | +-----+----------------------------------------------------------------+ | 173 | C9 | | | 6029C4F9777C9D521249EE1AC27F75C2350614C361469D0C7B3F8124DA3E14 | +-----+----------------------------------------------------------------+ | 174 | A0 | | | E3891E0790A9EC38EA05BCC0EA7067E98CED68DBCAFEE10A5F73D560A97B17 | +-----+----------------------------------------------------------------+ | 175 | FD | | | ED1EC2D17F957B230FEB5FFF518EC98322A1617E4E28953FF38270CB16098A | +-----+----------------------------------------------------------------+ | 176 | EB | | | E06DFB790CCEC41432637C593139E6C813AF0BA0F1366FF9FF12F8DD89AD40 | +-----+----------------------------------------------------------------+ | 177 | 2D | | | 2C183A82B5F13E458946DEFA3D2DC361B6FBB1321FE0535DAB40FCA4B7C272 | +-----+----------------------------------------------------------------+ | 178 | A6 | | | 291A63E3B4E8E3B58E96DB2A98BA918E674B21B3483EC0A69DA5C5594390D8 | +-----+----------------------------------------------------------------+ | 179 | C7 | | | BE73CAC9A130F487490E98B811F707492F92EEB989D75681F113FC7B184F95 | +-----+----------------------------------------------------------------+ | 180 | 35 | | | CEFBC2F7DB302E881DAEBB572093D721E3E94CDDEC465B6F08877095B572BD | +-----+----------------------------------------------------------------+ | 181 | 6E | | | 417844E162251228B6305C70ACC481F423036C6F14DA753F8C591F115EA8E0 | +-----+----------------------------------------------------------------+ | 182 | 58 | | | 96A3D47B5CEEAAD8C69D9811C79438233EF78E042EBEEFF807C69B6EE63FB2 | +-----+----------------------------------------------------------------+ | 183 | 3A | | | 867B8D991A3125CA3ED27E2F0D6568277AEC1CD15A0D8F9201981F4A5EEC6D | +-----+----------------------------------------------------------------+ | 184 | D0 | | | F06064FD7C105AFB139A30010104E1FE4A41A0967E450F9509ED7AA793AA1A | +-----+----------------------------------------------------------------+ | 185 | F1 | | | 9B3B007B54813C8395F826D76ABB6C7573286D9866ECF1F71CBBB75C12BF04 | +-----+----------------------------------------------------------------+ | 186 | EF | | | 2B268D4FF17708D1D01E363CB486E7AA83616AB595434535CFB33BE0F716C4 | +-----+----------------------------------------------------------------+ | 187 | E1 | | | 16D6C8F922AE101D2AF721AF3D183DD12D47A167312266E54C02F8B5AE53E3 | +-----+----------------------------------------------------------------+ | 188 | C7 | | | EE00F75D464EFE63FBF3998517B171AA296DBD3254E95DF25BC579F8517AA2 | +-----+----------------------------------------------------------------+ | 189 | 4D | | | 920F5202A33EBD9BBAFD73E11D5D222D4B8E0D50C11BC9B8B5F4E291F7C8E1 | +-----+----------------------------------------------------------------+ | 190 | 02 | | | E112947AA19A577FD9D825531BD74797BBF5825A74E9918D4027BBD24BB49B | +-----+----------------------------------------------------------------+ | 191 | 9A | | | C9E6123537F163E7730768B1B39BDA34A7831B5A3F8752D2A0CA4C394F5752 | +-----+----------------------------------------------------------------+ | 192 | 2D | | | 1EEE053F84BFFF1C9F4F82CAD96DD60D04596236DF9B929A921E32BF4EFB0A | +-----+----------------------------------------------------------------+ | 193 | 31 | | | 4BA33232F07D0EAE2648A6DF5B3009484CFDBDA6E57D8A0B221D215EC5300F | +-----+----------------------------------------------------------------+ New Quark Rules For GoldDream =============================== New Quark rules (#00234 - #00237) are now available. These rules target `GoldDream `__, a malware family that monitors SMS messages and phone calls and uploads them to remote servers. Check `here `__ for the rule details. With these rules, Quark is now able to identify the GoldDream malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a GoldDream sample (``ECA3A3666B0FD72028431431E7FAE6774A8CA692E35AE3CB44FD8F2AA418F746``). The report shows that Quark identified the sample as **high-risk**, with a list of behaviors as evidence. .. image:: https://cdn.imgpile.com/f/qg9XDXG_xl.png Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 2 well-known threats from GoldDream, as shown below. **1. Monitor SMS messages and phone calls** .. image:: https://cdn.imgpile.com/f/egCf5BD_xl.png The behavior map shows that the ``Lcom/sjhi/client/zjReceiver;onReceive`` function monitors SMS messages and phone call activity. It also calls the ``Lcom/sjhi/client/zjReceiver;a`` function to collect the data into files. Behaviors detected by Quark: * Monitor incoming call status (#00064) * Monitor incoming SMS message (#00234) * Monitor outgoing phone call (#00235) * Write data to file (#00236) **2. Upload SMS messages and phone calls to remote servers** .. image:: https://cdn.imgpile.com/f/SOrA9Qz_xl.png The behavior map shows that the ``Lcom/sjhi/client/e;a`` function connects to a URL and writes a file to an output stream. If the output stream is from the URL, this indicates the function uploads a file to a remote server. Behaviors detected by Quark: * Connect to a URL and set request method (#00096) * Write file content to an output stream (#00237) .. _list-of-tested-apks-golddream: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | index | sha256 | +=======+==================================================================+ | 1 | DAAFD978B9C3D6CE45DF705F9C5DE432609546673441A7F1ECAE7C4F42069FE1 | +-------+------------------------------------------------------------------+ | 2 | D710998CC0C38046D8C3713463B992B925A647780D61030462DBEE41094D2E21 | +-------+------------------------------------------------------------------+ | 3 | C2236E4159E14623214C9F22EB8B373AE47C20CEF126398B7EC2D11DDF7133CB | +-------+------------------------------------------------------------------+ | 4 | 30838B9223D7C9A029D25903030C0EE5784E2556F3FB4994A9A66D0E52452915 | +-------+------------------------------------------------------------------+ | 5 | F44FF1D306731B7EA378569545963A71254145252C2D26CA6F679CAA8FD39468 | +-------+------------------------------------------------------------------+ | 6 | 26C12F1A899DBA752B29B20B599CEAC2A814BE1AB3CD50BEB96A26B6033F2F1E | +-------+------------------------------------------------------------------+ | 7 | 38A90E9AB4FAA62EA71F1FC726BA4B747FA363D9F4D15E7478239E771FC36BC9 | +-------+------------------------------------------------------------------+ | 8 | 72A3B68C5EBD84E1F9FF9AF529A2102A1DE08E7F1CA5B874CF1FFB4B380AF7C9 | +-------+------------------------------------------------------------------+ | 9 | 594EBCC14A163B86222BD09ADFE95498DA81CEAEB772B706339D0A24858B1267 | +-------+------------------------------------------------------------------+ | 10 | 4DB9936E2BD190CC35710264179D5FEB28735C0661991593F28D5FEA6B2A3998 | +-------+------------------------------------------------------------------+ | 11 | 021B664D927EE81E90B936E6B880844B040753BC048DEBFF0358B39FA15C39E7 | +-------+------------------------------------------------------------------+ | 12 | 6F3FF062C0A4CA13A12C68FB3FC17A12F75BD18BA6CB76CC82660F026A966990 | +-------+------------------------------------------------------------------+ | 13 | ECA3A3666B0FD72028431431E7FAE6774A8CA692E35AE3CB44FD8F2AA418F746 | +-------+------------------------------------------------------------------+ | 14 | 05A64C76B56919F4C6063CE376B59AC84C707425D6A442936B5AD659F7293C1E | +-------+------------------------------------------------------------------+ | 15 | 36D7471FA1E7C3AF4BE233F4F4971B41CF0A1EF1067D4C3B1D3BD4C3CD3D2E38 | +-------+------------------------------------------------------------------+ | 16 | 70F447054FD798F6EC3D6E67104F0910C73BAD80A94FD83AAC4F119786A0F253 | +-------+------------------------------------------------------------------+ | 17 | 545E1A911DA1071D79D9C40E945480FD9D5BA051472991819F8EB2644C5A6F3D | +-------+------------------------------------------------------------------+ | 18 | 3E72CC3C0DB3513A29FF53E27726FB9277C7D2F13661CF0DFCA8EB34DC690074 | +-------+------------------------------------------------------------------+ | 19 | FF2BEF8912CCD5CEE93DC8C6FB4BE2B142E790A30689AFEDB32ECB665AD1F040 | +-------+------------------------------------------------------------------+ | 20 | BA84EB2885F01C15DFDA3FE394486BE9E7E0FAECE28EABA70B007BE5864C233D | +-------+------------------------------------------------------------------+ | 21 | 42979D0E32550419DFA7F7BB1C5CCA245056E0EC50B489CA73C259E45C76C66D | +-------+------------------------------------------------------------------+ | 22 | 969BCDB8DC4043483AB645AFFF4616A1845F2276EF4165475F6357D71508047C | +-------+------------------------------------------------------------------+ New Quark Rules For SpyNote =========================== New Quark rules (#238 - #242) are now available. These rules target `SpyNote `_\ , a malware family that takes screenshots, simulates user gestures, logs user input, and communicates with C2 servers. Check `here `_ for the rule details. With these rules, Quark is now able to identify the SpyNote malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a SpyNote sample (\ ``0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/4NYt9kTb/Screenshot-2025-09-24-10-00-28-Screenshot-2025-09-24-10-03-382.jpg :target: https://i.postimg.cc/4NYt9kTb/Screenshot-2025-09-24-10-00-28-Screenshot-2025-09-24-10-03-382.jpg :alt: Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from SpyNote, as shown below. **1. Take screenshots** .. image:: https://i.postimg.cc/wMcJFd87/screenshot.png :target: https://i.postimg.cc/wMcJFd87/screenshot.png :alt: The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService`` function obtains screenshot data and converts it into bitmap format. Behaviors detected by Quark: * Extract screenshot data to bitmap format (#00238) **2. Simulate user gestures** .. image:: https://i.postimg.cc/k4yXpMG3/gesture.png :target: https://i.postimg.cc/k4yXpMG3/gesture.png :alt: The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/Perfct;clickByGesture`` function simulates user finger gestures on a mobile phone. Behaviors detected by Quark: * Simulate user gestures (#00240) **3. Log user input** .. image:: https://i.postimg.cc/pVcgt0r5/logging.png :target: https://i.postimg.cc/pVcgt0r5/logging.png :alt: The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService;checkPassword`` function obtains the description of a UI element. It also calls the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/FileUtils;writeText`` to log the data to a file. If the UI element is a keypad button on the lock screen, the user's password can be logged. Behaviors detected by Quark: * Get the description of a UI element (#00241) * Write data to a file (#00242) **4. Communicate with C2 servers** .. image:: https://i.postimg.cc/cCHZkQPw/connect.png :target: https://i.postimg.cc/cCHZkQPw/connect.png :alt: The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/hlshzietuthuztzpsjgswpikkmwdxkiqxbzdseqdoywzyerfhi4/CameraHandler$1;run`` function establishes a connection to an IP address, which could be a malicious C2 server. Behaviors detected by Quark: * Establish a connection to an IP address (#00239) .. _list-of-tested-apks-spynote: List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. .. list-table:: :header-rows: 1 * - index - sha256 * - 1 - 059b5f74e053c2966775157cd521580fcfaa3b1a7613560b8f499dbd9c11d4b4 * - 2 - 0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b * - 3 - 4b2b411e03aafaa19ea93286fadd39a5134f4a039db2d5019b1054547c0d5601 * - 4 - 5c01f7727c78dea9c89dccf92b01b4c45e69406e6462340779401497bf4d4589 * - 5 - 8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e * - 6 - da4f59bdc91eaeaba238a8ba9602f7d5cc75f0892a92f5422e23b55accbbb2f0 * - 7 - dd7650a9cd3f853e109d2d0138ede785e1559d6c2d8c52eec2f2d9808a924f1c * - 8 - dee1eaaa8879a7d321ef4e698203be7b23eeda80a6dea3c70cbf3138597b1800 * - 9 - f46b863952599b91a4d2d682a80f345dfa03fad473d1938f2c53a3139c87a019 * - 10 - eec5096dfca6824317863f9225c29f6c4b3442c48fefa62dc382e3569bca5a60 New Quark Rules For DawDropper =============================== New Quark rules (#243 - #245) are now available. These rules target `DawDropper `_\ , a malware family that downloads and installs additional APKs. Check `here `_ for the rule details. With these rules, Quark is now able to identify the DawDropper malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a DawDropper sample (\ ``a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/44T6JT3v/Screenshot-2025-10-21-22-38-20.png :target: https://i.postimg.cc/44T6JT3v/Screenshot-2025-10-21-22-38-20.png :alt: Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify two well-known threats from DawDropper, as shown below. **1. Download APKs from remote servers** .. image:: https://i.postimg.cc/VLW5TKMP/downloadapk.png :target: https://i.postimg.cc/VLW5TKMP/downloadapk.png :alt: The behavior map shows that the ``Lcom/techmediapro/photoediting/core/MainActivity;N0`` function downloads a file from a URL. If the URL points to an APK, it indicates that the function downloads an additional APK from a remote server. Behaviors detected by Quark: * Connect to a URL and read data from it (#00243) * Write data to a file (#00244) **2. Install additional APKs** .. image:: https://i.postimg.cc/nc663z2H/installapk.png :target: https://i.postimg.cc/nc663z2H/installapk.png :alt: The behavior map shows that the ``Lcom/techmediapro/photoediting/core/MainActivity;S0`` function installs additional APKs. Behaviors detected by Quark: * Install other APKs from file (#00245) .. _list-of-tested-apks-dawdropper: List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. .. list-table:: :header-rows: 1 * - index - sha256 * - 1 - 022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91 * - 2 - 02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4 * - 3 - 05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08 * - 4 - 71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d * - 5 - 77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa * - 6 - 8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637 * - 7 - 9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461 * - 8 - a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb * - 9 - b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58 * - 10 - d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42 New Quark Rules For SLocker =============================== New Quark rule (#246) is now available. This rule targets `SLocker `_\ , a malware family that locks the device with an overlay screen. Check `here `_ for the rule details. With this rule, Quark is now able to identify the SLocker malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a SLocker sample (\ ``570e2811e8c87f714eb3485c271ec03b9de699c6b7f67e858a24396ce5f7b69e``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/851cvgFy/Screenshot-2025-11-25-22-36-54.png :target: https://i.postimg.cc/851cvgFy/Screenshot-2025-11-25-22-36-54.png :alt: Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 1 well-known threat from SLocker, as shown below. **1. Lock the device with an overlay screen** .. image:: https://i.postimg.cc/1zd7nsYP/blockscreen.png :target: https://i.postimg.cc/1zd7nsYP/blockscreen.png :alt: The behavior map reveals that the ``Lcom/lololo/LockService;onCreate`` function creates an overlay window on top of other applications. By configuring the window to occupy the entire screen, the APK can block all user interactions and lock the device. The behavior detected by Quark: * Create an overlay window on top of other applications (#00246) .. _list-of-tested-apks-slocker: List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. .. list-table:: :header-rows: 1 * - index - sha256 * - 1 - 35c39da84abfc8d8b89389524d6e203d91e5af8004720c60f13b492e14ddde56 * - 2 - 570e2811e8c87f714eb3485c271ec03b9de699c6b7f67e858a24396ce5f7b69e * - 3 - 88b86662dd1653845985544299fd8cc732f49c72d63c86ea3ffb7bb3b3249138 * - 4 - 8ec195cd1f5c9f66c75000f26120832d7e1a9044fe3699d18d676bd5739b8518 * - 5 - 9cc9fba099c35d65638f521e5a1d748ea432b64d82fe9732cfc52f8b57d3dffd * - 6 - 9e875f82515cc6b27367ae20ef52b9e0d7476bf8bda91e2ba0d888cf0857311f * - 7 - a60082e481d6873103537e136b7b14a7892cd1205593d64567a448453eff4a6a * - 8 - b5ab87692109c072cc277246e957ab32cfce6973f9f06c609ba51b53114cce51 * - 9 - df091031ed5073de09158b3afcf1fb956d1f337a66e552e9d3458ed5f5f6edb1 * - 10 - e504ff4501da2412758babadabb05a761ae6edacd043d68334e384d94fe4f4ac * - 11 - f3fcd84b4e92a52ae5b30df003b911f21b2ea4325f788d5a5decc08582d3fd40 New Quark Rules For PhantomCard =============================== New Quark rules (#247 - #251) are now available. These rules target `PhantomCard `_\ , a malware family that communicates with C2 servers, reads the payment data of NFC cards, and captures PINs of NFC cards through deceptive screens. Check `here `_ for the rule details. With these rules, Quark is now able to identify the PhantomCard malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a PhantomCard sample (\ ``5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/MTm5xxn2/Screenshot-2025-12-19-00-52-13.png :target: https://i.postimg.cc/MTm5xxn2/Screenshot-2025-12-19-00-52-13.png :alt: Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from PhantomCard, as shown below. **1. Communicate with C2 servers** .. image:: https://i.postimg.cc/6qqQcXDG/c2.png :target: https://i.postimg.cc/6qqQcXDG/c2.png :alt: The behavior map reveals that the ``Ls1/j;doInBackground`` function establishes a connection to an IP address, which could be a malicious C2 server. Behaviors detected by Quark: * Establish a connection to an IP address (#00247) **2. Read the payment data of NFC cards** .. image:: https://i.postimg.cc/9QFmVVxY/nfc.png :target: https://i.postimg.cc/9QFmVVxY/nfc.png :alt: The behavior map reveals that the ``Lt1/c;b`` function establishes a connection to an NFC card and reads the payment data stored in it. Behaviors detected by Quark: * Establish a connection to an NFC card (#00248) * Read the payment data stored in an NFC card (#00249) **3. Captures PINs of NFC cards through deceptive screens** .. image:: https://i.postimg.cc/xT2QtP2Y/ui.png :target: https://i.postimg.cc/xT2QtP2Y/ui.png :alt: The behavior map reveals that the ``Le/r;onReceive`` function creates a UI layout and listens for user clicks on a UI element. If the UI layout is deceptive, users could be deceived into entering their NFC card PINs. Subsequently, the app could harvest the PINs by listening for user clicks on UI elements such as keypad buttons. Behaviors detected by Quark: * Create a UI layout from XML (#00250) * Listen for user clicks on a UI element (#00251) .. _list-of-tested-apks-phantomcard: List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. .. list-table:: :header-rows: 1 * - index - sha256 * - 1 - 0d5fd1997ecb76a167df753d5cce7688dfd0d813c028c9644025da352af77b7d * - 2 - 21c66fe505f2bcd7b29d413189920b3a85df48da0ecf4eb6962d6a504a7fdcd8 * - 3 - 2922fcf373e2caf3588266cfafeaafbc74304c81d024315d279f0ea537adc1b6 * - 4 - 360966ad8752d040e9aaae5cb4a5913e6f85edcf56ecfeb8246729b45d0e6c78 * - 5 - 5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332 * - 6 - a78ab0c38fc97406727e48f0eb5a803b1edb9da4a39e613f013b3c5b4736262f * - 7 - ab2906d88e4f64ec0784ef8fdf132bb7ca9a914c037c3b731803f3adfd7a8f66 * - 8 - cb10953f39723427d697d06550fae2a330d7fff8fc42e034821e4a4c55f5a667 * - 9 - d3f863757e946d117ee7c7b50e480264a2ff1a08e7925bd2de3e6c43182868ed * - 10 - e27579b92fcad2f4fe96db7b5e7a7cdc41754a7cd126fcaf598d3f8d8c21c0f5 New Quark Rules For ToxicPanda ============================== New Quark rules (#00252 - #00262) are now available. These rules target `ToxicPanda `__, a malware family that steals financial data via deceptive overlays, remotely controls devices, intercepts one-time passwords, and stay active in the background. Check `here `__ for the rule details. With these rules, Quark is now able to identify the ToxicPanda malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a ToxicPanda sample (\ ``12d94320a25c1496ae3c7d326e07d4d92d34381d7b821f58ef9f4e135612c6d8``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/8f4mkRpB/toxicpanda-summary-report.jpg Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from ToxicPanda, as shown below. **1. Steal financial data via deceptive overlays** .. image:: https://i.postimg.cc/RV6LJtJp/create-phising-overlay.png The behavior map shows that the ``Lnp/຅;run`` function creates a overlay on top of other application by gathering screen information and calling ``Lnp/ࢯ;̐``. To make the overlay deceptive, it displays a website within the overlay and allows the website to access internal methods, enabling the theft of financial data. Behaviors detected by Quark: * Get the status bar height (#00256) * Get the navigation bar height (#00257) * Create an overlay window on top of other applications (#00252) * Allow website to access internal methods (#00258) * Display URL content on a WebView (#00259) **2. Remotely control device** .. image:: https://i.postimg.cc/K3fDcPGj/behavior-map.jpg The behavior map shows that the ``Lnp/Ī;call`` function retrieves data from a URL and calls multiple functions (``Lnp/๧;̓``, ``Lnp/๧;̐``, ``Lnp/๧;̒``, ``Lnp/๧;̎``, ``Lnp/ࣼ;̔``, and ``Lnp/๧;̍``) to simulate user gestures. If the URL points to a remote server, threat actors can use this mechanism to remotely control the device. Behaviors detected by Quark: * Query a URI and append the result into a string (#00190) * Simulate a touch gesture on the device screen (#00205) * Simulate user gestures (#00240) * Save gestures into a list (#00253) * Dispatch gesture from a list (#00260) **3. Intercept one-time passwords** .. image:: https://i.postimg.cc/VkTqfkkV/interception-of-otp.png :target: https://i.postimg.cc/VkTqfkkV/interception-of-otp.png :alt: The behavior map shows that ``Lnp/ࣿ;onReceive`` reads incoming SMS messages. This enables the malware to intercept SMS-based one-time passwords (OTPs) and bypass two-factor authentication on financial accounts. Behaviors detected by Quark: * Read SMS message from Intents (#00254) * Read SMS message from PDU (#00261) **4. Stay active in the background** .. image:: https://i.postimg.cc/5N2L8CYd/ensure-self-active.png :target: https://i.postimg.cc/5N2L8CYd/ensure-self-active.png :alt: The behavior map shows that ``Lnp/ࣿ;onReceive`` monitors device boot events and calls ``Lnp/ࣿ;̍`` to schedule a periodic job. If the job starts the malware, this mechanism allows the malware to stay active in the background after the device boots. Behaviors detected by Quark: * Monitor device boot completion (#00262) * Schedule a periodic job (#00255) .. _list-of-tested-apks-toxicpanda: List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. .. list-table:: :header-rows: 1 * - index - sha256 * - 1 - 12d94320a25c1496ae3c7d326e07d4d92d34381d7b821f58ef9f4e135612c6d8 * - 2 - 2bf76945694c257d9bb1533c70075fbabce2d8671b476b7478421389ed258980 * - 3 - 377f07b92d33e0ea9d7cfe3c288e19df2be8555154bdb1141b82a87d068a0cf7 * - 4 - 86fdfff09f03b0cde4cd0cde3ce0f75e37859925ef6fd89b372bbfada1ace572 * - 5 - 9d00052eb9a97a53a49c8e1a26138de835e2d354adef44a51ce8fb599d769fc1 * - 6 - d40e45359546cb801887a38d4adb397327ce4bf0a166192f5f72165471fff10d * - 7 - fde931224d2e558e67ac8c9c0c1d0aac4f7562622a67870d6c3024bdeb851676 New Quark Rules For Hydra ========================= New Quark rule (#00263) is now available. This rule targets `Hydra `_, a banking trojan family that intercepts SMS messages to capture OTPs, performs overlay attacks to steal banking credentials, communicates with C2 servers for remote control, and collects device fingerprints for tracking. Check `here `_ for the rule details. With this rule, Quark is now able to identify the Hydra malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a Hydra sample (``3154684c4192a1ae7a00f9f61d3024e2d25a85508c512094a771f878c3130848``). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/nL9G8Ypg/jie-tu-2026-03-25-xia-wu6-05-19.png :alt: Summary report screenshot 1 .. image:: https://i.postimg.cc/sxSdQ6ZC/jie-tu-2026-03-25-xia-wu6-05-25.png :alt: Summary report screenshot 2 .. image:: https://i.postimg.cc/4xwC9hyF/jie-tu-2026-03-25-xia-wu6-05-41.png :alt: Summary report screenshot 3 Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 6 well-known threats from Hydra, as shown below. **1. Intercept SMS messages to capture OTPs and banking codes** .. image:: https://i.postimg.cc/TYnyX5XK/jie-tu-2026-03-26-shang-wu11-44-46.png :alt: SMS interception behavior map The behavior map shows that the ``Lcom/payu/custombrowser/PayUCBLifecycle$7;onReceive`` function reads SMS messages from PDU format, queries the phone number from the SMS sender, and retrieves data from the broadcast. This behavior is commonly used by banking trojans to intercept one-time passwords (OTPs) sent via SMS. Behaviors detected by Quark: * Read SMS message from PDU * Query the phone number from SMS sender * Retrieve data from broadcast **2. Overlay attacks to deceive users into revealing sensitive information** .. image:: https://i.postimg.cc/vm03MHVr/jie-tu-2026-03-26-zhong-wu12-00-49.png :alt: Overlay attack behavior map The behavior map shows that the ``Lcom/mopub/mobileads/BaseWebView;clearWebViewDeadlock`` function retrieves the application context and adds a view to the window manager. By adding a view through the WindowManager, the APK can display an overlay window on top of other applications, potentially mimicking a legitimate banking app to steal user credentials. Behaviors detected by Quark: * Retrieve the application context and add a view to the window manager **3. Communicate with C2 servers for remote control** .. image:: https://i.postimg.cc/rFTWn2dt/jie-tu-2026-03-26-zhong-wu12-03-55.png :alt: C2 communication behavior map The behavior map shows that the ``Lcom/ufotosoft/ad/utils/CachedBitmapFactory;decodeBitmapHTTP`` function calls ``Lcom/ufotosoft/ad/utils/HttpUtil;decodeBitmapHttp``, which connects to a remote server through a given URL and reads the input stream. This behavior is commonly used for C2 communication, allowing attackers to send commands and receive stolen data. Behaviors detected by Quark: * Connect to the remote server through the given URL * Read the input stream from given URL * Connect to a URL and get the response code * Connect to a URL and receive input stream from the server * Connect to a URL and read data from it **4. Collect device fingerprints for tracking** .. image:: https://i.postimg.cc/CM9YSwC5/jie-tu-2026-03-26-zhong-wu12-12-39.png :alt: Device fingerprinting behavior map The behavior map shows two functions collecting device identifiers. The ``Lcom/douban/amonsul/device/DeviceInfo;initPhoneInfo`` function queries the IMEI number, IMSI number, and the network operator name. The ``Lcom/alipay/sdk/util/a;`` function queries the IMEI number, IMSI number, and WiFi information including the MAC address. These identifiers can be used to uniquely identify and track infected devices. Behaviors detected by Quark: * Query the IMEI number * Query the IMSI number * Get the network operator name and IMSI * Get the network operator name * Get the current WIFI information * Query WiFi information and WiFi Mac Address * Get the current WiFi MAC address **5. Detect foreground applications to trigger overlay attacks** .. image:: https://i.postimg.cc/15xxbJPf/jie-tu-2026-03-26-zhong-wu12-13-56.png :alt: Foreground detection behavior map The behavior map shows a transitive call chain: ``Lcom/igexin/push/extension/distribution/basic/a/a;a`` and ``Lcom/igexin/push/extension/distribution/basic/a/a;b`` both call a intermediate function that uses reflection and dynamic class loading, which in turn calls ``Lcom/igexin/push/extension/distribution/basic/j/c;b`` to check the list of currently running applications. This is a prerequisite behavior for overlay attacks — when a targeted banking app is detected in the foreground, the malware triggers the overlay to display a phishing screen. Behaviors detected by Quark: * Check the list of currently running applications * Instantiate new object using reflection, possibly used for dexClassLoader * Initialize class object dynamically * Start a background service * Send notification * Method reflection **6. Inject JavaScript into WebView for credential harvesting** .. image:: https://i.postimg.cc/sxdnHHW0/jie-tu-2026-03-26-zhong-wu12-18-11.png :alt: WebView injection behavior map The behavior map shows that the ``Lcom/payu/sdk/ProcessPaymentActivity;onCreate`` function allows a website to access internal methods and retrieves data from a broadcast. By injecting a JavaScript interface into a WebView, the malware can interact with web content displayed in the WebView, potentially modifying banking pages or extracting form data entered by users. Behaviors detected by Quark: * Allow website to access internal methods * Retrieve data from broadcast .. _list-of-tested-apks-hydra: List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. .. list-table:: :header-rows: 1 * - index - sha256 * - 1 - 2d0b157e27359bc36c31e3c3ef891964bc98b2cb66c4f95c2ffc4af7d3477e30 * - 2 - 3154684c4192a1ae7a00f9f61d3024e2d25a85508c512094a771f878c3130848 * - 3 - 49bca7195e05926210f7dffe4289f6b30372db9de7af72bc6a4802cb477e5729 * - 4 - 5c128cfee50059349b9b155c417e3950aaf292f4a9098e1b6748524e5fdfa6de * - 5 - 6005f5569a6240c36f07de53438df1615ea6f000000fa5452d5a8870afe6336b * - 6 - 74f3a191e941c68bbc7bf87515a12ae547e79eba4d9ffd5c2799a9c44b77dc2d * - 7 - 91126eea4f088df8a38667eff9f0fd8b6d49a58b919e8cfd242612a44d702b40 * - 8 - a2c91743a0834cd1fb63c6965c581e1f5a57f1d2fcb226985423894ac814c93a * - 9 - c08903e2be8737c3fbea2293c6a1a5242afe58e6e90a3da45724a1dae7c88a25 * - 10 - c2ef244e7a1980880aeb212672705e877851b9cc054e023015dd748c8e69ab38 * - 11 - d5a63c4ace387cff8d641ad9aeedf9e406684b0f3bdcfc79e97de80eef177bee * - 12 - e51f32dbe18d52eafe2ac65f77f84450fd279fecd0278b0df95ce654017dddd2 * - 13 - e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87 * - 14 - ea6058517e957895fbd3c26cac63013df3442ceea289123c7afd4bd0b24bea82 * - 15 - f6da0d9f1d74f2f80cd4d69183a78ccc1b3679689419262c9704787cea754726 * - 16 - faaf963fd84d0e7c86f8750115f5291f0692d0aca0f97e151cf4cc870a65d88e * - 17 - fb34414b386d0d12c24d11bce56f087730afc3fbab1ee397182f5dd64183b53b * - 18 - fe9cfc5046c583a7b28fa506cd33e636d27310b14240247625c693444a27336f New Quark Rules For SharkBot ============================ New Quark rules (#00264 - #00265) are now available. These rules target `SharkBot `_ , a sophisticated Android malware family primarily designed for financial fraud. SharkBot leverages techniques such as overlay attacks and credential theft to compromise user accounts. It has been observed targeting banking applications and employs various evasion techniques to avoid detection. Check `here `_ for detailed rule information. With these rules, Quark is now able to identify the SharkBot malware family as high-risk. In our experiment, Quark achieved **100% accuracy** and **100% precision**. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a SharkBot sample (``20E8688726E843E9119B33BE88EF642CB646F1163DCE4109B8B8A2C792B5F9FC``). The report shows that Quark identified the sample as **high-risk**, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/59TBHvtm/jie-tu-2026-04-01-wan-shang11-08-24.png .. image:: https://i.postimg.cc/GpLG0xXg/jie-tu-2026-04-01-wan-shang11-08-40.png Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from SharkBot, as shown below. **1. Stealing User Credentials** .. image:: https://i.postimg.cc/KjB5NrGd/stealing-user-credentials.png The behavior map shows that the ``Lcom/guksydvbflaqtwqg2cfuvjwxai7b/ggxfimuhpqlyzg8d2evysfqo/MyServiceA;l`` function simulates user gestures and queries device data to steal user credentials, calling the ``Lcom/guksydvbflaqtwqg2cfuvjwxai7b/ggxfimuhpqlyzg8d2evysfqo/MyServiceA;k`` function to read and compile sensitive data into a JSON object. Behaviors detected by Quark: * Read sensitive data(SMS, CALLLOG) and put it into JSON object (#00010) * Read sensitive data(SMS, CALLLOG, etc) (#00077) * Query a URI and check the result (#00187) * Simulate a touch gesture on the device screen (#00205) * Query device data with ContentResolver (#00212) * Query device data with ContentResolver and a URI parsed from a string (#00222) * Simulate user gestures (#00240) **2. Intercepting Sms Messages** .. image:: https://i.postimg.cc/C5frkXrY/intercepting-sms-messages.png The diagram indicates that the function ``Lcom/guksydvbflaqtwqg2cfuvjwxai7b/ggxfimuhpqlyzg8d2evysfqo/MyServiceA;k`` processes SMS-related data and stores it in a JSON object. Behaviors detected by Quark: * Read sensitive data(SMS, CALLLOG) and put it into JSON object (#00010) * Read sensitive data(SMS, CALLLOG, etc) (#00077) **3. Downloading Additional Payloads** .. image:: https://i.postimg.cc/jSZ4ZjTM/downloading-additional-payloads.png The behavior map shows that the ``Landroidx/lifecycle/ViewModelProvider$AndroidViewModelFactory;create`` function uses reflection to instantiate new objects, which may indicate preparation for dynamic code loading via DexClassLoader. Although no direct download evidence was identified, this pattern can be regarded as one possible indicator of additional payload delivery or loading. Behaviors detected by Quark: * Instantiate new object using reflection, possibly used for dexClassLoader (#00157) .. _list-of-tested-apks-sharkbot: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | index | sha256 | +=======+==================================================================+ | 1 | 20E8688726E843E9119B33BE88EF642CB646F1163DCE4109B8B8A2C792B5F9FC | +-------+------------------------------------------------------------------+ | 2 | 4F1822817690D89943E7E57468AB4366E360772C0ADCE67BF74A7224B3732DEE | +-------+------------------------------------------------------------------+ | 3 | 57F8A57320EEED2F5B5A316D67319191CE717CC51384318966B61F95722E275F | +-------+------------------------------------------------------------------+ | 4 | 6AEFC2C4727CE80F03867F356DF462F1A1CE21C72801B877FDB95E67CD00D6A4 | +-------+------------------------------------------------------------------+ | 5 | 7F55DDDCFAD05403F71580EC2E5ACAFDC8C9555E72F724EB1F9E37BF09B8CC0C | +-------+------------------------------------------------------------------+ | 6 | 8F45831B1DF8FE44111E35B05271F6EC1796B03C104A67CD6481BF93F2AFFE86 | +-------+------------------------------------------------------------------+ | 7 | DD0641F261D75864B164A7F963B45DC43C6C815AD01E5F51C29504C668E6D5EC | +-------+------------------------------------------------------------------+ | 8 | E5B96E80935CA83BBE895F6239EABCA1337DC575A066BB6AE2B56FAACD29DDAA | +-------+------------------------------------------------------------------+ New Quark Rules For Antidot =========================== New Quark rules (#00266–#00270) are now available. These rules target `Antidot `__, an Android malware family known for stealing sensitive information and executing a wide range of malicious activities on infected devices. Antidot primarily targets banking applications and leverages multiple evasion and persistence techniques to avoid detection. Check `here `__ for the rule details. With these rules, Quark is now able to identify the Antidot malware family as high-risk. In our experiment, Quark achieved **100% accuracy** and **100% precision**. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a Antidot sample (``07DA124F1F4BA891E7917082BDFA74C580E78543164DF2FEC86E8B0C3AB0211E``). The report shows that Quark identified the sample as **high-risk**, with a list of behaviors as evidence. .. image:: https://i.postimg.cc/W1qRFhpd/jie-tu-2026-04-11-xia-wu2-45-08.png .. image:: https://i.postimg.cc/qv6fhzBW/jie-tu-2026-04-11-xia-wu2-45-57.png Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from Antidot, as shown below. **1. Data Theft** .. image:: https://files.catbox.moe/85uqku.png The behavior map shows that the ``Lcom/luck/picture/lib/loader/LocalMediaPageLoader$1;doInBackground`` function queries device data using ContentResolver to read sensitive information such as SMS and call logs, and appends the results into a string for potential exfiltration. Behaviors detected by Quark: * Query device data with ContentResolver (#00218) * Read sensitive data(SMS, CALLLOG, etc) (#00077) * Query a URI and check the result (#00187) * Query device data with ContentResolver and obtain the number of results (#00215) * Query a URI and append the result into a string (#00190) **2. Sms Interception** .. image:: https://files.catbox.moe/gumdy3.png The diagram indicates that the ``Lcom/arsryg/auto/login/activity/ActivityShow2;uploadSms`` function retrieves the content and address of SMS messages by querying a URI, facilitating the interception and potential unauthorized access to SMS data. Behaviors detected by Quark: * Get the content of a SMS message (#00189) * Get the address of a SMS message (#00188) * Query a URI and check the result (#00187) * Query data from URI (SMS, CALLLOGS) (#00011) **3. Keylogging** .. image:: https://files.catbox.moe/upg9ja.png The behavior map shows that the ``Lcom/blankj/utilcode/util/ClipboardUtils;getText`` function reads the primary clipboard content, allowing the malware to passively capture credentials and other sensitive text the user copies. Behaviors detected by Quark: * Read clipboard (#00266) **4. Remote Control** .. image:: https://files.catbox.moe/j8937k.png The diagram shows that the ``Lcom/arsryg/auto/AccUtils;longClickScreen`` function builds and dispatches accessibility gestures to simulate user input, enabling the attacker to remotely drive the device as if they were sitting in front of it. Behaviors detected by Quark: * Simulate user gestures (#00240) * Simulate a touch gesture on the device screen (#00205) * Dispatch gesture (#00267) .. _list-of-tested-apks-antidot: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | index | sha256 | +=======+==================================================================+ | 1 | 07DA124F1F4BA891E7917082BDFA74C580E78543164DF2FEC86E8B0C3AB0211E | +-------+------------------------------------------------------------------+ | 2 | 08A646C04974EACA9F50CE5D77FF6216AF5BFF400EC1B48782A4DAE22FEFBEF0 | +-------+------------------------------------------------------------------+ | 3 | 0AF689DA84A03383863583DCAD6C640BA4AB9762AFFDE3D56C199A9EB08E9F41 | +-------+------------------------------------------------------------------+ | 4 | 0B7F4C3BE1D0B0F0B53495FF33E8C4B22ADF122E01F8C72D705C489A975FE498 | +-------+------------------------------------------------------------------+ | 5 | 12D1FC37FBFA5E0EEC3954F5FC31CDBD55AC61EBD84E41C59FF00567D03B107A | +-------+------------------------------------------------------------------+ | 6 | 160940892DC1983ED1B46D8756F1A529D9EC9CE5E3C4481F75C57C568748A38C | +-------+------------------------------------------------------------------+ | 7 | 1AE0C4FFE18E7934C019AD1279219D1E8E8491BF62E8B34102E1497010C58247 | +-------+------------------------------------------------------------------+ | 8 | 2EDC7CBC0DCE61739A4D977ACD8B6E6940A817D4E698CBCCAA8CE1DDBE0A7BBC | +-------+------------------------------------------------------------------+ | 9 | 335FB32EE34E2374D28C9C5A95549FC2965D254B22A9550B505AC7F7304BAE80 | +-------+------------------------------------------------------------------+ | 10 | 4338AB77D05AEACD7EAC5ACBE9EED5568778C8E3E9499562816805B54B4D1A6A | +-------+------------------------------------------------------------------+ | 11 | 476DDA92941E2F211ABC209EA411D97E3007E9434632C0A721AE48F4FE427259 | +-------+------------------------------------------------------------------+ | 12 | 506033F7A6EA5C9E4D89F9EDCC998ED1F33FB74E4A2A4F32AF8CEC2EC009A906 | +-------+------------------------------------------------------------------+ | 13 | 518F74277C26B9CA91A2FE4AEABB26AE9B675A5E2E1BC6BDBE53067183477071 | +-------+------------------------------------------------------------------+ | 14 | 578D3B5DBB35738F47165EE053138021F88C4BEBFE5EBB2B79DBB998600EAA16 | +-------+------------------------------------------------------------------+ | 15 | 6499730A01703CAD20711803829862F3D19EE7A3FEDBE72FEA2F319394B29627 | +-------+------------------------------------------------------------------+ | 16 | 6A99E6D4ABC66F09A490443786432D90C675CB6282C791FAE996136CBB69B7E9 | +-------+------------------------------------------------------------------+ | 17 | 7748CA5B385DB3FDA3E07000B1552CA05405333083B33C4F470DD3AE4F0E3A5F | +-------+------------------------------------------------------------------+ | 18 | 7A373702F30FB4A293574DFF762AB4B89D101DA117F5152BD3BA2369B9DE1661 | +-------+------------------------------------------------------------------+ | 19 | 89CACC44F42639F27EFE324F4937B923E2711B88B67B1FDAE8BBAE1210F573E7 | +-------+------------------------------------------------------------------+ | 20 | 8EA78D335B8B931B49945E3CE36D12B1576647E7FB797840D3D1FA61B2F42200 | +-------+------------------------------------------------------------------+ | 21 | 9DA55AD04E480FA1FD3B45A5F245E6511DFC45D44123000E1CC2D1E10C65E8B8 | +-------+------------------------------------------------------------------+ | 22 | A2A9FB573C9F39E3654467EFD78C9B5424DE3033303FACAD972DF1A5F8B2FA04 | +-------+------------------------------------------------------------------+ | 23 | B482C7A2734B90EEA3E35E61962DE17336ED81F26BC9432175A03D4E7DA03D65 | +-------+------------------------------------------------------------------+ | 24 | BC02322AAF96FA1841101636DC4C8011DA3BCC5571A6F0278813884CE54B5B3F | +-------+------------------------------------------------------------------+ | 25 | C6E52BD7D8A1DE54E5A6551A7A737C989D93537C1BB440FDF37914C799E77F16 | +-------+------------------------------------------------------------------+ | 26 | DA7B254CB8877278EC38C674B922D54C2AF67405694823C2A35F12EBF920891B | +-------+------------------------------------------------------------------+ | 27 | DD4BCE9274CABCBCB2F3EA2B00867932399AD0DE9B923896A70AC03076231EFA | +-------+------------------------------------------------------------------+ | 28 | E11DBB99B9083326FC1F148C161A5ED9F4B3C59F44C976248C43600334308E21 | +-------+------------------------------------------------------------------+ | 29 | F3DFED0600935C66C5CB48CA9C4D0CAA65E01545A63CF9256964AF06AA4665AD | +-------+------------------------------------------------------------------+ | 30 | FE4B2B288565CC1A85B7DD23398CC8AB850B0B0C73D46EC9E7C308AF86A96D60 | +-------+------------------------------------------------------------------+ New Quark Rules For Arsink ========================== A new Quark rule (#00271) is now available. This rule targets `Arsink `__. The Arsink malware family is a type of Android malware that targets users through various malicious behaviors, including accessing sensitive device information, initiating phone calls, and extensive Accessibility Service abuse for UI automation. It is often disguised as a legitimate application to evade detection and gain unauthorized access to user data. See the `quark-rules repository `__ for the rule details. With these rules, Quark is now able to identify the Arsink malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of an Arsink sample (``48f19eef9d420137dee9974e3cc6af3ded9532bd631ace36f7d15eebec6a2dce``). The report shows that Quark identified the sample as **high-risk**, with a list of behaviors as evidence. .. image:: https://i.ibb.co/Zpp07SLV/2026-04-18-12-16-34.png :alt: Quark summary report .. image:: https://i.ibb.co/dwmPFMFw/2026-04-18-12-16-43.png :alt: Quark summary report Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats associated with Arsink, as shown below. **1. Accessing Sensitive Information** .. image:: https://i.ibb.co/WNVRk54Q/2026-04-17-12-13-12.png :alt: Accessing Device Information The diagram indicates that the ``LSay/hello/To/Arthur/FileUtil; convertUriToFilePath`` function works in conjunction with ``LSay/hello/To/Arthur/FileUtil; getDataColumn`` to access sensitive information, e.g., image, video, audio, and download file paths, from content resolver. **Behaviors detected by Quark:** * Query data from URI (SMS, CALLLOGS) (#00011) * Read sensitive data (SMS, CALLLOG, etc) (#00077) * Query device data with ContentResolver (#00212) * Query device data with ContentResolver and a URI parsed from a string (#00222) * Accessing sensitive data from content provider (#00271) * Check if the device is in data roaming mode (#00086) **2. Initiate Phone Calls** .. image:: https://i.ibb.co/gLjrwzVN/phone-call-capability.png :alt: (Phone Call Capability) The diagram shows that the ``Lnet/cloud/analyzer/screen/b;c`` function uses implicit intents via setData to initiate actions such as making phone calls. This capability enables the malware to trigger phone call operations on the infected device. **Behaviors detected by Quark:** * Implicit intent(view a web page, make a phone call, etc.) via setData (#00051) **3. Accessibility-Based UI Control** .. image:: https://i.ibb.co/5xC9BGnn/remote-control-rat.png :alt: Accessibility-Based UI Control The behavior map shows that the ``Ld/g;i`` function orchestrates UI automation by calling multiple helper functions (``Ld/g;x``, ``Ld/g;p``, ``Ld/g;y``) that leverage accessibility services to interact with UI elements. These functions perform actions such as getting root windows, finding nodes by View ID and text, retrieving screen bounds, and executing actions on accessibility nodes to enable comprehensive UI automation. **Behaviors detected by Quark:** * Use accessibility service to perform action getting node info by text (#00159) * Use accessibility service to perform action getting node info by View Id (#00160) * Perform accessibility service action on accessibility node info (#00161) * Use accessibility service to perform action getting root in active window (#00167) * Use accessibility service to perform global action getting node info by View Id (#00169) * Get bounds in screen of an AccessibilityNodeInfo and perform action (#00173) .. _list-of-tested-apks-arsink: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | index | sha256 | +=======+==================================================================+ | 1 | 06F7DFDFBFF03719082750FB11CA1F1FE720DAA57F11C7D30D3B3277BFECEB13 | +-------+------------------------------------------------------------------+ | 2 | 0BCDF887E6BD21EA4073385A8B2E59025768BE3131A92E9940886E05C748E1CC | +-------+------------------------------------------------------------------+ | 3 | 16CB7952AB3CE88EC30B57E1C5F16A8871457E9985D43675AAE47D8DDB5044C8 | +-------+------------------------------------------------------------------+ | 4 | 1FC3BA39F0CE8109BCB4F42441250DF5E9C601744B738A2E7C40D612CD29FEC3 | +-------+------------------------------------------------------------------+ | 5 | 2063030918DF932A61673559F99E51CC47F3436337F94AFB2E8ACAAFA84289FF | +-------+------------------------------------------------------------------+ | 6 | 2C0BCE17BC9BBFBEA95E5B75E6294FD1D5205B915B24729D1F2377E2A6F2B578 | +-------+------------------------------------------------------------------+ | 7 | 35F06F91902FAF5A4BC27C8B73F74B74AEA6A6BE2215AE1E990EE504CEB29E4F | +-------+------------------------------------------------------------------+ | 8 | 3AE188387DD8B01CD5595B9AD937DAE48D90C4D17FA8BA7F85D3A1F34D1EF3C8 | +-------+------------------------------------------------------------------+ | 9 | 3E6EDEBC2DA9A4A80507EEB7ABF529C9C3A70201927F1AE864F9F257CA64BC2E | +-------+------------------------------------------------------------------+ | 10 | 4070678717CF011417C9E4307C9ECB4D481563DB4758FFAADA5FA6870E06A4AC | +-------+------------------------------------------------------------------+ | 11 | 48F19EEF9D420137DEE9974E3CC6AF3DED9532BD631ACE36F7D15EEBEC6A2DCE | +-------+------------------------------------------------------------------+ | 12 | 4CF809B14083143E921BD8FDB7E7725E20E303653D9A3E6C848D9596A33F6C8E | +-------+------------------------------------------------------------------+ | 13 | 501E35F1600CE0548226C9957EED76F5F04CB2E1DBFD4F3FB8652009B38E8C9F | +-------+------------------------------------------------------------------+ | 14 | 5948A349B534156F5734B3A99E761EC6D84E527AB729B1F28242049B3AFAB2E6 | +-------+------------------------------------------------------------------+ | 15 | 595355DAAA6AAD284090210CD55C4A2E276C5263C83D2B202E1486D347AF3701 | +-------+------------------------------------------------------------------+ | 16 | 5E48BBE1C62DA18D4C0F2CCA0F8855219C5A05F81C5FB64C1B4A0A6871FA8736 | +-------+------------------------------------------------------------------+ | 17 | 603D89C5A2883AB2ED68E12517212BD0B74760F1EF755A61D059440AEBA045FD | +-------+------------------------------------------------------------------+ | 18 | 68F800FBED83116AC9EFB2524326FA5D710A911B506762D580A34C19932A21E8 | +-------+------------------------------------------------------------------+ | 19 | 6D06806CCEE64D3BAA5B9DA63019C3AC7A23DFE210747FBDBC048A84196325C5 | +-------+------------------------------------------------------------------+ | 20 | 744346BD46F139837BF2825206FA95D48DDF6DC078E341492B34B35743A0B297 | +-------+------------------------------------------------------------------+ | 21 | 76B8569EFF05CE94BA580E10FB1161AF6537D931F8C9D07EDBA20E93A4A34BB6 | +-------+------------------------------------------------------------------+ | 22 | 7DDD3C4808372C91C916C4B77A07A09F61753BC26A592FF7DA3BD71D12802A0C | +-------+------------------------------------------------------------------+ | 23 | 8159C79C8A9B54AD363516F9B53C7CADA3EA4AFA0B2D0F6E7DC66FE147D03A93 | +-------+------------------------------------------------------------------+ | 24 | 8314ECE95207FF28466D4FC8BF6CEF22CC6E28FEF47E9BEDE381B502F038B552 | +-------+------------------------------------------------------------------+ | 25 | 89D492B7539B5552445764907A96B517D08D448F8FF0E3E7A93958DF82D3DF58 | +-------+------------------------------------------------------------------+ | 26 | 8E9C6AA5EA90DDD2C3199128E41DE82C4D406B3D2D32BA34CF9D6B1F9C5A8F26 | +-------+------------------------------------------------------------------+ | 27 | 917CDE4F5DFDE864C07A412E586E218F65826B71810083BFFB086C3518DEC645 | +-------+------------------------------------------------------------------+ | 28 | 9A778FBB730EE653F45B36700A369C81792509F855C2529ACA73DE1443C62DE8 | +-------+------------------------------------------------------------------+ | 29 | 9FB8A940492EE6095A24B4A34ECFA252A515FB681F16636A8F00B1E0E7D47FE2 | +-------+------------------------------------------------------------------+ | 30 | A3F487BBE5AC9A9EB3556E9612C7A16177EA2767783E9401A6643765B1EE39B3 | +-------+------------------------------------------------------------------+ | 31 | BA71C7E507E1B0D8202447F9F86F585286B4AB01B58C7E32BB4F495381EF5004 | +-------+------------------------------------------------------------------+ | 32 | BBB41EC382738C0EE5B94D023F023209928CA98893F146A8CFDAA608AFE7B4E6 | +-------+------------------------------------------------------------------+ | 33 | C002E68F52DE1B2B62013A82828245D8A956A075B87E220C3F6E1B2BFB220D19 | +-------+------------------------------------------------------------------+ | 34 | C1183C6868BF4E006BA412A538A3A07DADBAEDED2BE6F148765DECF69DC284EC | +-------+------------------------------------------------------------------+ | 35 | C4F51CCDE0525887B61FB919EEFC5830B24EC35FDCB2AF2AA3893E5F56957C40 | +-------+------------------------------------------------------------------+ | 36 | CB93D5C96AE3E0B358AC2A0C57008A5655A049AC3BC5543F814AF5157E2F27DE | +-------+------------------------------------------------------------------+ | 37 | D41329E084AD90A62C37E906F18E1089002F4D5E7C5CE123F7753DA90E410372 | +-------+------------------------------------------------------------------+ | 38 | D41A27EE5D4B12F6C94E73CC453C69B20FF92CE29823B0FF5BCC50C0D61F826E | +-------+------------------------------------------------------------------+ | 39 | D5B6C048A278C06E2625C47A3A57F5CE2E4D6D73D830051A84DE1768E0445882 | +-------+------------------------------------------------------------------+ | 40 | D7362FF697A5CAE24B4B084D0436CCDE7060524A24C34F37F185F64597930514 | +-------+------------------------------------------------------------------+ | 41 | DB5B22F8D3400BAFA449B6DB01F44896DD8040733B03D11DBC187146E58DFBCD | +-------+------------------------------------------------------------------+ | 42 | EB76F62F4BA0718AFD9B1BCCCD6389A6043A4394A6769730F75F8E1F8B3752AF | +-------+------------------------------------------------------------------+ | 43 | F9B00165598A0600D53064B2871477FEC3BD62549A69328C4BDD39467AF2D48D | +-------+------------------------------------------------------------------+ | 44 | FD263056ADFE6CB5596A11612440FA5D851B3B9BED34A481139C2206A6C570B1 | +-------+------------------------------------------------------------------+ New Quark Rules For TrickMo =========================== New Quark rule (#00272) is now available. This rules target `TrickMo `__. See the `quark-rules repository `__ for the rule details. TrickMo is an Android banking trojan that evolved from the TrickBot ecosystem. It primarily intercepts SMS messages for 2FA bypass, and employs accessibility service abuse for screen recording and credential theft. The malware uses sophisticated evasion techniques and has been identified since 2019. With these rules, Quark is now able to identify the TrickMo malware family as high-risk. In our experiment, Quark achieved **100% accuracy** and **100% precision** across 29 tested APKs. See :ref:`here ` for the list. Below is a summary report of a TrickMo sample (``4284e6bbc2fc274d8b0a1f37f91408efc0404e4cae0ba28abc4d583bc59af6bd``). The report shows that Quark identified the sample as **high-risk**, with a list of behaviors as evidence. .. image:: https://i.ibb.co/QFBjc4Nh/2026-04-25-9-51-55.png :alt: Quark summary report .. image:: https://i.ibb.co/qLWx2vsH/2026-04-25-9-52-43.png :alt: Quark summary report Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 6 well-known threats from TrickMo, as shown below. **1. SMS Interception for 2FA Bypass** .. image:: https://i.ibb.co/wZGdtwjW/sms-interception-for-2fa-bypass.png :alt: SMS Interception for 2FA Bypass The ``Lcom/cmaster/cloner/oO0o0ooo;OooO0o0`` function queries sensitive data, e.g., SMS and call logs via content provider. In a banking-trojan context, this behavior is consistent with silently reading incoming SMS messages to intercept one-time passwords (OTPs), defeating SMS-based 2FA. **Behaviors detected by Quark:** * Read sensitive data (SMS, CALLLOG, etc.) (#00077) **2. Screen Recording and Screenshot Capture** .. image:: https://i.ibb.co/8LWRGmxv/screen-recording-and-screenshot-capture.png :alt: Screen Recording and Screenshot Capture The ``Lcom/cmaster/cloner/oOO00ooO;OooOO0O`` function allocates a canvas around a bitmap and renders a target view's contents into that off-screen bitmap. This pattern lets the malware silently capture the rendered UI it can reach — including banking-app screens displaying account numbers, balances, or OTPs — without triggering Android's MediaProjection consent dialog. **Behaviors detected by Quark:** * Allocate canvas (#00268) * Capture view (#00270) **3. Persistent Background Service** .. image:: https://i.ibb.co/Q3mz75jb/accessibility-service-abuse.png :alt: Persistent Background Service The ``Lcom/amazon/device/iap/internal/c/e;a`` function starts a background service. A persistent background service keeps the malware active beyond the app's foreground lifetime, enabling the continuous device surveillance commonly associated with TrickMo's accessibility-service abuse. **Behaviors detected by Quark:** * Start a background service (#00225) **4. Device Information Exfiltration** .. image:: https://i.ibb.co/d0qVZGDw/device-information-exfiltration.png :alt: Device Information Exfiltration The ``Lcom/inmobi/media/tk;a`` function, together with 4 callee functions, collects GPS coordinates, network operator identity, ISO country code, network connectivity state, and calendar data. This breadth of collection produces a comprehensive device snapshot consistent with the reconnaissance stage of a banking trojan attack. **Behaviors detected by Quark:** * Get location of the device and append this info to a string (#00017) * Query the network operator name (#00060) * Get the ISO country code and put it into JSON (#00085) * Check the current network type (#00087) * Check the network capabilities (#00100) * Get location and put it into JSON (#00113) * Get last known location of the device (#00115) * Check the current active network type (#00124) * Query the ISO country code (#00132) * Get calendar information (#00142) * Get the time of current location (#00147) * Compare network operator with a string (#00171) **5. Reflection-Based API Obfuscation** .. image:: https://i.ibb.co/tPJbmJKb/dynamic-payload-loading.png :alt: Reflection-Based API Obfuscation The ``Lnet/dress/absorb/Tdomaintuna;onCreate`` function dynamically resolves method calls and field accesses at runtime via Java reflection. Together, these behaviors hide the complete set of Android APIs and data fields the malware accesses from static analysis — a known evasion technique in TrickMo. **Behaviors detected by Quark:** * Method reflection (#00026) * Resolve field via reflection (#00272) .. _list-of-tested-apks-trickmo: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | index | sha256 | +=======+==================================================================+ | 1 | 04CB1225B4A5A0C256234A9B027408994C45911041766FE0B7E691C44A29389D | +-------+------------------------------------------------------------------+ | 2 | 0E69F3D10BA88974C47A9CE83A095A29E9AC3DE66B0441DB60624FBE0772F6C3 | +-------+------------------------------------------------------------------+ | 3 | 11AF0DA9A7C5F65BB098ED52973E814B12EBA492FB3615A5FADA5D4CC390928D | +-------+------------------------------------------------------------------+ | 4 | 17FC5D1C8BD8B10471131282E42EC289BB1E1EE107CA676F369BB42FC3643AF3 | +-------+------------------------------------------------------------------+ | 5 | 1E386AFECBBF96D119876DC5FD54382FEB0FAE878A416321E4ED3A897E763F4F | +-------+------------------------------------------------------------------+ | 6 | 2CDFB07D6CAD4B2DCBBDB2713A99AE70DCDD2C049D2E3B356DE4609A905E500A | +-------+------------------------------------------------------------------+ | 7 | 2E6C7354F7B4DCE59752054929731C5055DF15301ED094820BDBBCD5C0CFA12E | +-------+------------------------------------------------------------------+ | 8 | 3FB75B18F25919C3FC2E2D60905214C432CAF182D3A600F2CA68E3B1BBCF3575 | +-------+------------------------------------------------------------------+ | 9 | 4284E6BBC2FC274D8B0A1F37F91408EFC0404E4CAE0BA28ABC4D583BC59AF6BD | +-------+------------------------------------------------------------------+ | 10 | 4FCCE7C445D89D7DE943EC0E0C2FC285D4B25A67950AD7D6BCB50DBCBC4AC29B | +-------+------------------------------------------------------------------+ | 11 | 5489C3F1F561E1F7FA68F7A6041FBA8AED8F682095E1F50B07B4B91AC284E9BD | +-------+------------------------------------------------------------------+ | 12 | 57940C5EEE8641E02F49D1122528665A0DDFBF5B6B0D4B910B5287E15542591D | +-------+------------------------------------------------------------------+ | 13 | 5885804AC3FBD9A06595B9314B77898747B2F9B8A7624F72D402F5D5C5BAAC68 | +-------+------------------------------------------------------------------+ | 14 | 6EB525100F54B9A830CD2D0F1169B053EDB55332B2BE73DD29A8B165B9CCDBF5 | +-------+------------------------------------------------------------------+ | 15 | 6F58B07B5DDABC29C9C7E7165349EDBD2BEE923446514044D67040DE2F36664A | +-------+------------------------------------------------------------------+ | 16 | 7593B0F4BC4C52CB359196F35868636B319641B01C8DB9F662076285739A0505 | +-------+------------------------------------------------------------------+ | 17 | 7B1FA1AC136469CA0CF8E0B80830876185E9858A168098A093AAF43319FC60A7 | +-------+------------------------------------------------------------------+ | 18 | 963A61A8ECA4378566CE39113DDBCB08EE961EF54C274068E62EFC9201FAD1CC | +-------+------------------------------------------------------------------+ | 19 | 9A5182C4F9B3061D30652264096D225CE16CB5C962E1C67ED153E3986D9E05C8 | +-------+------------------------------------------------------------------+ | 20 | A7FD4A7AD1B5F67F588CFCDC7BB092D1C8AED71FFC9402F618F4562C3DADF8E1 | +-------+------------------------------------------------------------------+ | 21 | ABA8466F8162846C8ADC7BE242BB78A346775804DE2C14A978D69649B0639C6D | +-------+------------------------------------------------------------------+ | 22 | AC21DDC972B50C66A9876F1A470F0A29F4DF58C1557B8FA0BA649FC0B255DD37 | +-------+------------------------------------------------------------------+ | 23 | B1A8A189A95DFE33683141BA24F022357B2E60E5A811F5559B3119FE67C17BDC | +-------+------------------------------------------------------------------+ | 24 | B80C00BC987EA9ACACEC57EEAF299421DA8E083F611084816BF0C015C7088DED | +-------+------------------------------------------------------------------+ | 25 | B9F0D4A2EA3FD0B0E2A7F3EF024E056AB58F51DD21960DD671DD42ABF81A7B21 | +-------+------------------------------------------------------------------+ | 26 | C00419B21D10A236B47B43BB1EED3DBC5298E471CF9616848A84DA5BAAE8E611 | +-------+------------------------------------------------------------------+ | 27 | CEEA4208D55B4DE89279633183DAE164E57AA03D729ADE7D39A75C7D1E583078 | +-------+------------------------------------------------------------------+ | 28 | CFA37C111D5D86AA348A8411C39FE1C54034C437A5C15777A42638C6A9D03EB0 | +-------+------------------------------------------------------------------+ | 29 | D0D4EF735A8BF076D81A6F3651D6BCFD8C69285049ADD2E6B6BEE1276A99C37C | +-------+------------------------------------------------------------------+ New Quark Rules For anubis ========================== New Quark rule (#00273) is now available. This rule targets `anubis `__. Anubis is a sophisticated Android banking trojan that emerged around 2017, targeting financial institutions worldwide. It features overlay attacks to steal banking credentials, keylogging, screen recording, SMS interception, and ransomware capabilities. The malware is distributed through malicious apps on Google Play and phishing campaigns. In the representative sample, Quark observed the following behaviors at the API level: use accessibility service to query UI elements, read SMS messages, audio recording via microphone, make outbound phone calls programmatically, read and decode file contents, and HTTP communication with remote server. Check `here `__ for the rule details. With these rules, Quark is now able to identify the anubis malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a TrickMo sample (``13f00206aaed4612ce4655152b972aeb2787ca4133aeacc8c9acd8c4d38ea3f79.apk``). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. .. image:: https://i.ibb.co/fY1rgqGx/2026-05-02-10-08-44.png .. image:: https://i.ibb.co/9dqZgcr/2026-05-02-10-09-00.png Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. The 6 behaviours below were observed in the representative sample at the API level. **1. Use Accessibility Service to Query UI Elements** .. image:: https://i.ibb.co/Ps2WgNZt/accessibility-service-abuse-for-automated-actions.png `onAccessibilityEvent` uses the accessibility service to retrieve node information by matching text content. Together, these calls enable programmatic inspection of UI elements displayed in other applications. Behaviors detected by Quark: * Use accessibility service to perform action getting node info by text (#00159) **2. Read SMS Messages** .. image:: https://i.ibb.co/ZR7grZKW/sms-interception-and-forwarding-for-2fa-bypass.png `DelIndox` queries SMS data from the content provider URI and reads message contents. Combined, these APIs allow the service to access and extract stored SMS messages from the device. Behaviors detected by Quark: * Query data from URI (SMS, CALLLOGS) (#00011) * Read sensitive data(SMS, CALLLOG, etc) (#00077) **3. Audio Recording via Microphone** .. image:: https://i.ibb.co/fG1wy5SW/screen-recording-and-screenshot-capture.png `recordAudio` configures the audio source, encoder, file format, and output path, then initializes and starts the recorder. Together, these calls capture live audio from the device microphone and save it to a file. Behaviors detected by Quark: * Set the audio source (MIC) and recorded file format (#00194) * Set the recorded file format and output path (#00196) * Set the audio encoder and initialize the recorder (#00197) * Initialize the recorder and start recording (#00198) **4. Make Outbound Phone Calls Programmatically** .. image:: https://i.ibb.co/sp6CdZR1/contact-harvesting-and-call-forwarding.png `onCreate` constructs an implicit intent with a phone number and initiates a call action. Combined, these APIs trigger an outbound phone call without user interaction. Behaviors detected by Quark: * Implicit intent(view a web page, make a phone call, etc.) via setData (#00051) * Make a phone call (#00202) * Put a phone number into an intent (#00203) **5. Read and Decode File Contents** .. image:: https://i.ibb.co/0y3XDXmn/ransomware-functionality-with-file-encryption.png `readCommand` calls `getIDwindowsBot` to open and read a file from its absolute path, then decodes the Base64-encoded content and writes it. Together, these calls retrieve encoded file data and persist the decoded output. Behaviors detected by Quark: * Get absolute path of the file and store in string (#00020) * Open a file from given absolute path of the file (#00022) * Write file after Base64 decoding (#00024) **6. HTTP Communication with Remote Server** .. image:: https://i.ibb.co/60dbjds5/dynamic-c2-communication-via-social-media-profiles.png `doInBackground` establishes URL connections, sends POST requests, and reads response streams and status codes. Combined, these APIs enable bidirectional HTTP communication with a remote server. Behaviors detected by Quark: * Connect to the remote server through the given URL (#00030) * Connect to a URL and receive input stream from the server (#00089) * Connect to a URL and read data from it (#00094) * Connect to a URL and set request method (#00096) * Read the input stream from given URL (#00108) * Connect to a URL and get the response code (#00109) * Send HTTP POST request and receive response (#00273) .. _list-of-tested-apks-anubis: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | index | sha256 | +=======+==================================================================+ | 1 | 30B0B3B0D4733F3B94517AB4E407214E82ABF6AAD3ADF918717FF842E28D672F | +-------+------------------------------------------------------------------+ | 2 | 3F00206AAED4612CE4655152B972AEB2787CA4133AEACC8C9ACD8C4D38EA3F79 | +-------+------------------------------------------------------------------+ | 3 | 63263048A73FD8B6E37431688A331A2A88E8FC86848BFB4BA09751F2E7AB8F5C | +-------+------------------------------------------------------------------+ | 4 | 7138689203DC5A2FE9CFCB84C39885E4B53EEC9A72F37E36DDEE61490F8217CA | +-------+------------------------------------------------------------------+ | 5 | 7CE3D3AA76710A4D70D7DBA0379FDE70724F923E582381AF4AE32365A9B9B516 | +-------+------------------------------------------------------------------+ | 6 | 9B2AF95F9F69CE03DB5C03B13F4F9F69051BB490C968A1C7CA6A9B80D20FDF94 | +-------+------------------------------------------------------------------+ | 7 | 9FC2E5D32B4A4E2886CD835A9DDDD6A2C94C85BF175700A0655A70D422E2DEB8 | +-------+------------------------------------------------------------------+ | 8 | AD2053BC0CF1CC54C5A0F7E6DE4653B8012BA349219AC56B27E26E6CF2B96077 | +-------+------------------------------------------------------------------+ | 9 | C7411C0DAFF520468C3ACCFF4318076A66034B2D14CBAE08A5D3ECEC2C6CE9ED | +-------+------------------------------------------------------------------+ | 10 | D0E684DEDD320A8B1838DAB6C94E97384058FB18B831CEB3F479AEA849D83811 | +-------+------------------------------------------------------------------+ | 11 | D7511298F5F6C7205EB753ECD7A4E0070E9F4E353F8E6C94EF3339B4A1886B73 | +-------+------------------------------------------------------------------+ | 12 | E0D3EE34E12845AD99E8E23FD0CFBED54C7640EABEA957337DEC0176D152F837 | +-------+------------------------------------------------------------------+ | 13 | F57308A3D0A09D0DA95D9055EC76E3DCED8292B47FCD41FEF237EBF7C1AD5F03 | +-------+------------------------------------------------------------------+ New Quark Rules For godfather ============================= New Quark rule (#00274) is now available. This rule targets `godfather `__. Check `here `__ for the rule details. With these rules, Quark is now able to identify the godfather malware family as high-risk. In our experiment, Quark achieved **100% accuracy** and **100% precision**. Please check :ref:`here ` for the APKs we tested. Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This section uses MITRE ATT&CK Mobile as its reference taxonomy. The table below lists every technique documented for GodFather (per software entry `S1231 GodFather `__) alongside how each manifests in real-world campaigns — all of which the current Quark rule set can detect statically from APK bytecode. .. list-table:: :header-rows: 1 :widths: 30 70 * - MITRE Technique - Real-world manifestation * - T1418 Software Discovery - Enumerating installed banking and cryptocurrency apps to select overlay targets * - T1417 Input Capture - Harvesting credentials and payment card data via accessibility service keylogging * - T1516 Input Injection - Automating fraudulent transactions by simulating taps and gestures through accessibility APIs * - T1582 SMS Control - Intercepting SMS-based two-factor authentication codes to bypass account protections * - T1616 Call Control - Blocking or redirecting incoming calls from banks to evade fraud alerts * - T1624 Event Triggered Execution - Launching overlay attacks when targeted banking applications are opened by user * - T1629 Impair Defenses - Disabling Google Play Protect and preventing uninstallation via device administrator privileges All behavior maps below were rendered from sample ``0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8.apk`` — chosen as the representative sample whose detected behaviors most fully cover the documented profile of GodFather. The other 11 family samples were used to compute the accuracy and precision figures above. Each section below corresponds to one technique from the table above. Within each section we first quote the MITRE definition, then show the Quark behavior map extracted from the representative sample's bytecode, then walk through the call sequence and list the underlying rules. **1. T1418 Software Discovery** `T1418 Software Discovery — attack.mitre.org `__ **MITRE definition (T1418):** Adversaries may attempt to get a listing of applications that are installed on a device. .. image:: https://i.ibb.co/FLfL0LQY/t1418-software-discovery.png `number_task` calls `getApps` to enumerate installed applications and store the list in shared preferences. Together, these calls enable the malware to discover and persist a complete inventory of software present on the device. Behaviors detected by Quark: * Get installed applications and put the list in shared preferences (#00170) * Enumerate installed applications (#00264) **2. T1417 Input Capture** `T1417 Input Capture — attack.mitre.org `__ **MITRE definition (T1417):** Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. .. image:: https://i.ibb.co/Vcmh833x/t1417-input-capture.png `onAccessibilityEvent` calls two helpers to query UI nodes by ID and text, check view content, and perform actions on accessibility node info. Together, these calls enable automated inspection and interaction with UI elements in the active window. Behaviors detected by Quark: * Use accessibility service to perform action getting node info by text (#00159) * Use accessibility service to perform action getting node info by View Id (#00160) * Perfom accessibility service action on accessibility node info (#00161) * Use accessibility service to perform action getting root in active window (#00167) * Check if the text of the view contains the given string (#00206) * Check if the resource name of the view contains the given string (#00207) **3. T1582 SMS Control** `T1582 SMS Control — attack.mitre.org `__ **MITRE definition (T1582):** Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. This can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. .. image:: https://i.ibb.co/ZpvV0M9d/t1582-sms-control.png `onReceive` calls `SMRC` to monitor incoming SMS messages and extract sender phone numbers and message content. Together, these calls enable the receiver to intercept and inspect SMS data as it arrives on the device. Behaviors detected by Quark: * Monitor the general action to be performed (#00025) * Query the phone number from SMS sender (#00049) * Check if the content of SMS contains given string (#00118) * Monitor incoming SMS message (#00234) **4. T1616 Call Control** `T1616 Call Control — attack.mitre.org `__ **MITRE definition (T1616):** Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication. .. image:: https://i.ibb.co/dwXRxbFg/t1616-call-control.png `onCreate` constructs an implicit intent with a phone number and initiates a phone call via `setData`. Combined, these APIs enable the activity to programmatically place outbound calls without user interaction. Behaviors detected by Quark: * Implicit intent(view a web page, make a phone call, etc.) via setData (#00051) * Make a phone call (#00202) * Put a phone number into an intent (#00203) **5. T1624 Event Triggered Execution** `T1624 Event Triggered Execution — attack.mitre.org `__ **MITRE definition (T1624):** Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. .. image:: https://i.ibb.co/5hcSxDhz/t1624-event-triggered-execution.png The behavior map above shows GodFather subscribing to the incoming-SMS broadcast — Android's ``SMS_RECEIVED`` is one of the canonical "specific events" called out in the MITRE definition, and the malware uses it as a trigger for persistent execution. `onReceive` monitors the general action performed and incoming SMS messages, enabling the receiver to detect and respond to SMS arrival events in real time. Behaviors detected by Quark: * Monitor the general action to be performed (#00025) * Monitor incoming SMS message (#00234) **6. T1629 Impair Defenses** `T1629 Impair Defenses — attack.mitre.org `__ **MITRE definition (T1629):** Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. .. image:: https://i.ibb.co/mCQTFWZb/t1629-impair-defenses.png The behavior map above shows GodFather deleting SMS and call-log entries via content URIs — a concrete instance of impairing the user's ability to audit communication activity (matching the MITRE definition's phrase "detection capabilities defenders can use to audit activity"). `DelSent` deletes media specified by content URIs, including SMS and call logs, erasing traces of communication activity. Behaviors detected by Quark: * Deletes media specified by a content URI(SMS, CALL_LOG, File, etc.) (#00052) .. _list-of-tested-apks-godfather: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | index | sha256 | +=======+==================================================================+ | 1 | 0B72C22517FDEFD4CF0466D8D4C634CA73B7667D378BE688EFE131AF4AC3AED8 | +-------+------------------------------------------------------------------+ | 2 | 138551CD967622832F8A816EA1697A5D08EE66C379D32D8A6BD7FCA9FDEAECC4 | +-------+------------------------------------------------------------------+ | 3 | 20116083565A50F6B2DB59011E9994E9A9F5DB5994703D53233B8B202A5AD2F3 | +-------+------------------------------------------------------------------+ | 4 | 3BBEF6F36E2E673DF2620A01463F9B598D0F70C76F450601EC29873D8EBA5B7A | +-------+------------------------------------------------------------------+ | 5 | 3D4F63FC88EC8A4DFC9A5C3FEE1A59DED40BBB2F4F04ED937C135B144E8A166D | +-------+------------------------------------------------------------------+ | 6 | 58D335B2FD86126AB18CFBECD117C7700D154A2473CC1BDD507C0F57FA7052E3 | +-------+------------------------------------------------------------------+ | 7 | 6E0D01C4C547D235C247A6D0719F2ACA2D4996AE78DF4B671275914A9E3FD2D3 | +-------+------------------------------------------------------------------+ | 8 | 75CC07A1AF57D9D2A9A06840A25D1B9B368B1DDD57D98BAC9A5A5F2F4D0D931D | +-------+------------------------------------------------------------------+ | 9 | 9DFB5B4AD9AAC36C2D7FBB93F8668FAA819CB0DF16F4A55D00F1CDDA89C9A6D2 | +-------+------------------------------------------------------------------+ | 10 | A14AAD1265EB307FBE71A3A5F6E688408CE153FF19838B3C5229F26EE3ECE5DD | +-------+------------------------------------------------------------------+ | 11 | A6ED100AE42E4FDABFD1B4C992762152BC4A11CC8E521B647B444C75BB7A9782 | +-------+------------------------------------------------------------------+ | 12 | C2BCCFC8B3BDF2DA5FB5C22055A9C4859256BE7904933E9E0B92FA31FD0420D3 | +-------+------------------------------------------------------------------+ New Quark Rules For tanglebot ============================= New Quark rule (#00275) is now available. This rule targets `TangleBot `__. Check `here `__ for the rule details. With these rules, Quark is now able to identify the tanglebot malware family as high-risk. In our experiment, Quark achieved **100% accuracy** and **100% precision**. Please check :ref:`here ` for the APKs we tested. Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This section uses MITRE ATT&CK Mobile as its reference taxonomy. The table below lists every technique documented for TangleBot (per software entry `S1069 TangleBot `__) alongside how each manifests in real-world campaigns — all of which the current Quark rule set can detect statically from APK bytecode. .. list-table:: :header-rows: 1 :widths: 30 70 * - MITRE Technique - Real-world manifestation * - T1430 Location Tracking - Real-time GPS coordinate harvesting to monitor victim physical movements and location * - T1418 Software Discovery - Enumerating installed applications to profile device usage and identify high-value targets * - T1513 Screen Capture - Capturing screenshots to exfiltrate sensitive on-screen data including credentials and messages * - T1582 SMS Control - Intercepting and exfiltrating SMS messages including authentication codes and private communications * - T1616 Call Control - Initiating, redirecting, or blocking phone calls to facilitate fraud or eavesdropping All behavior maps below were rendered from sample ``7badeb43e25c4bc7772b4e62d97a7bffc84a02b8f50ea83e8ab8acb598a20bad.apk`` — chosen as the representative sample whose detected behaviors most fully cover the documented profile of TangleBot. The other 8 family samples were used to compute the accuracy and precision figures above. Each section below corresponds to one technique from the table above. Within each section we first quote the MITRE definition, then show the Quark behavior map extracted from the representative sample's bytecode, then walk through the call sequence and list the underlying rules. **1. T1430 Location Tracking** `T1430 Location Tracking — attack.mitre.org `__ **MITRE definition (T1430):** Adversaries may track a device's physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. On Android, applications holding the ``ACCESS_COARSE_LOCATION`` or ``ACCESS_FINE_LOCATION`` permissions provide access to the device's physical location. .. image:: https://i.ibb.co/TM3Pq43V/t1430-location-tracking.png `Ld/g$g;c` retrieves device time, longitude, current location, and last known location through location services. Together, these calls enable precise geographic tracking of the device over time. Behaviors detected by Quark: * Get location of the device (#00075) * Get last known location of the device (#00115) * Get device time and longitude (#00214) **2. T1418 Software Discovery** `T1418 Software Discovery — attack.mitre.org `__ **MITRE definition (T1418):** Adversaries may attempt to get a listing of applications that are installed on a device. .. image:: https://i.ibb.co/WWz6wcTf/t1418-software-discovery.png `Lc0/d;a` queries package information for a specific application installed on the device. This call enables the malware to enumerate installed app details including version and permissions. Behaviors detected by Quark: * Get the package info of a particular app (#00231) **3. T1513 Screen Capture** `T1513 Screen Capture — attack.mitre.org `__ **MITRE definition (T1513):** Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. .. image:: https://i.ibb.co/S79Ntp63/t1513-screen-capture.png `Ll3/c$a;onSuccess` extracts screenshot data into bitmap format and compresses the resulting image. Together, these calls capture the device screen and reduce the image's file size so it can be exfiltrated efficiently. Behaviors detected by Quark: * Extract screenshot data to bitmap format (#00238) * Compress bitmap (#00269) **4. T1582 SMS Control** `T1582 SMS Control — attack.mitre.org `__ **MITRE definition (T1582):** Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. This can be accomplished by requesting the ``RECEIVE_SMS`` or ``SEND_SMS`` permissions depending on what the malware is attempting to do. .. image:: https://i.ibb.co/dJM0jdST/t1582-sms-control.png `Ll3/a;t` calls two helpers to query and read SMS and call log data from URIs, then sends SMS messages. Together, these calls enable both exfiltration of existing messages and transmission of new SMS content. Behaviors detected by Quark: * Read sensitive data(SMS, CALLLOG) and put it into JSON object (#00010) * Query data from URI (SMS, CALLLOGS) (#00011) * Send SMS (#00040) * Read sensitive data(SMS, CALLLOG, etc) (#00077) * Query a URI and append the result into a string (#00190) **5. T1616 Call Control** `T1616 Call Control — attack.mitre.org `__ **MITRE definition (T1616):** Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication. .. image:: https://i.ibb.co/HDwSFHYk/t1616-call-control.png `Ll3/a;C` constructs an implicit intent with a phone number and initiates a phone call via `setData`. Combined, these APIs enable programmatic dialing to arbitrary numbers without user interaction. Behaviors detected by Quark: * Implicit intent(view a web page, make a phone call, etc.) via setData (#00051) * Make a phone call (#00202) * Put a phone number into an intent (#00203) .. _list-of-tested-apks-tanglebot: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | index | sha256 | +=======+==================================================================+ | 1 | 1F8AA27D59C8B9C5D1F28610C1F195C7C6EFA2C80F98842FD3FB18B4241472C3 | +-------+------------------------------------------------------------------+ | 2 | 6098A436094F1E3E8721FB87FF36781A1A283711CC0388F608723A18132607C4 | +-------+------------------------------------------------------------------+ | 3 | 669C3BE3CB02D6A20F74EB13104E145747C8E3D4E7A51103F95F3F97EBA958CE | +-------+------------------------------------------------------------------+ | 4 | 752AC24697F9581E90655BC03FDE742EA70ABA5EE831AC8BBEE113DF3B1CAB6E | +-------+------------------------------------------------------------------+ | 5 | 7BADEB43E25C4BC7772B4E62D97A7BFFC84A02B8F50EA83E8AB8ACB598A20BAD | +-------+------------------------------------------------------------------+ | 6 | A72E0D19CB6DB3D96D27F97874C4462589AE0242EAE024D924D08B0663EB5019 | +-------+------------------------------------------------------------------+ | 7 | BE512E871FC1871314794EA0E83F70EBE6CD9E537883ACA6CA41440B3032DBFC | +-------+------------------------------------------------------------------+ | 8 | BF781F7D66A8CED4929674EA81A87C814F617EF677301B5EE4B4D32C04287B68 | +-------+------------------------------------------------------------------+ | 9 | D5D9B9FD3A6C5A9F44CE9EE46A32822F3E9261F4DF68466FAE809D58FA58A1D7 | +-------+------------------------------------------------------------------+ Brata Malware Family Analysis Report ==================================== Quark's existing rule set already detects the `brata `__ malware family — no new rule was required. Check `here `__ for the rule set. With these rules, Quark is able to identify the brata malware family as high-risk. In our experiment, Quark achieved **100% accuracy** and **100% precision**. Please check :ref:`here ` for the APKs we tested. Identified Well-Known Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This section uses MITRE ATT&CK Mobile as its reference taxonomy. The table below lists every technique documented for BRATA (per software entry `S1094 BRATA `__) alongside how each manifests in real-world campaigns — all of which the current Quark rule set can detect statically from APK bytecode. .. list-table:: :header-rows: 1 :widths: 30 70 * - MITRE Technique - Real-world manifestation * - T1418.001 Security Software Discovery - Detecting antivirus or security products to evade analysis and detection * - T1513 Screen Capture - Recording device screen content to harvest credentials and sensitive user data * - T1533 Data from Local System - Exfiltrating contacts, messages, photos, and other locally stored personal information All behavior maps below were rendered from sample ``2d15bc6c736c5422f3673d94c8f9d3d28ac1512eae6f459cd768842103266937.apk`` — chosen as the representative sample whose detected behaviors most fully cover the documented profile of BRATA. The other 21 family samples were used to compute the accuracy and precision figures above. Each section below corresponds to one technique from the table above. Within each section we first quote the MITRE definition, then show the Quark behavior map extracted from the representative sample's bytecode, then walk through the call sequence and list the underlying rules. **1. T1418.001 Security Software Discovery** `T1418.001 Security Software Discovery — attack.mitre.org `__ **MITRE definition (T1418.001):** Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. .. image:: https://i.ibb.co/93zRnd2y/t1418-001-security-software-discovery.png The behavior map above shows BRATA querying the package manager for a single application's information and display label (`GetApplicationLabel`). Malware uses this same lookup to check for security software: by querying the package names of known antivirus or mobile-security apps, it can tell whether any are installed. This is the Security Software Discovery (T1418.001) behavior documented for BRATA — it lets the malware decide whether to keep operating or stay dormant to avoid detection. Behaviors detected by Quark: * Get application info and label (#00265) **2. T1513 Screen Capture** `T1513 Screen Capture — attack.mitre.org `__ **MITRE definition (T1513):** Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. .. image:: https://i.ibb.co/Vc5vwfSG/t1513-screen-capture.png `onImageAvailable` copies pixels from the latest rendered image into a Bitmap object. This call enables the malware to capture screenshots of the device screen in real time. Behaviors detected by Quark: * Copy pixels from the latest rendered image into a Bitmap (#00210) **3. T1533 Data from Local System** `T1533 Data from Local System — attack.mitre.org `__ **MITRE definition (T1533):** Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. Access to local system data, which includes information stored by the operating system, often requires escalated privileges. .. image:: https://i.ibb.co/WSWys6t/t1533-data-from-local-system.png `FindByMail` calls `getAllContacts` to read records from a content provider via ``ContentResolver``, iterating the returned cursor. Both are methods of the app's B4A `ContactsWrapper`, indicating the queries target the device's contact database. The behavior map evidences these generic content-provider reads; it does not pin down a specific field such as email address. Behaviors detected by Quark: * Query a URI and check the result (#00187) * Query device data with ContentResolver (#00212) * Query device data with ContentResolver and obtain the number of results (#00215) .. _list-of-tested-apks-brata: List of Tested APKs ~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | index | sha256 | +=======+==================================================================+ | 1 | 27E0EC79DBB7C7F99B43C8C01A94188D1071D1245B1745D0E066AE774C78A8F8 | +-------+------------------------------------------------------------------+ | 2 | 2846C9DDA06A052049D89B1586CFF21F44D1D28F153A2FF4726051AC27CA3BA7 | +-------+------------------------------------------------------------------+ | 3 | 2D15BC6C736C5422F3673D94C8F9D3D28AC1512EAE6F459CD768842103266937 | +-------+------------------------------------------------------------------+ | 4 | 32552C098CD0E8075583162B1E895F1089A3E97FA9AC6281C0D0272D9AF132E2 | +-------+------------------------------------------------------------------+ | 5 | 37A0F317B897F23F5A6BA4A6B1C5E03A80333FF81BC8C1FADC09EB4C1914797D | +-------+------------------------------------------------------------------+ | 6 | 4392358E24121C8C9C1BD36341286CEAD074ECE01B5E615EC56C572F5583E0B0 | +-------+------------------------------------------------------------------+ | 7 | 46F4F981BE30D60795164F97B45219C523DBF8F59608901EB29DA42BCF941CFE | +-------+------------------------------------------------------------------+ | 8 | 4C57C5EAE5A1BAE1A50BEED28AFFDFF722C89416886E5EDA8088A06771CC29C8 | +-------+------------------------------------------------------------------+ | 9 | 5395936963DF4D72B365FD30AB52A00A88F8A5F75336BA84AC8A9FC369E0F811 | +-------+------------------------------------------------------------------+ | 10 | 6327B82AAAB714DC17322E1F215BCA9219F937A1DF6F71C8892BF75FCFA53830 | +-------+------------------------------------------------------------------+ | 11 | 80443FF27C7D665E1D9DB78CE70E67478C2A2F47DB4F84AF7BA4DB85C0EAD677 | +-------+------------------------------------------------------------------+ | 12 | 98B778F619E1C0F822B9514C81B9869F0302A2FEF53754739BB92C67D02609E0 | +-------+------------------------------------------------------------------+ | 13 | 9BF89B33609973D48C7D09D5774C39BFCEFD3922202DB0D872F12B3FFDB28529 | +-------+------------------------------------------------------------------+ | 14 | B2EC5CBCA08D8AEF4F638FFB479FDF613EEAA31FF9C30C73DBEDA7FF8EB4A25B | +-------+------------------------------------------------------------------+ | 15 | B5A64791728AA641838D2A478375F5D46F91C91B8DF0CDE34B21DDA2D4D7D8A1 | +-------+------------------------------------------------------------------+ | 16 | B64123E4FF92CD7BE104B21CA0DEAEFD89E8270572746C61EFC3E7CD05999B5D | +-------+------------------------------------------------------------------+ | 17 | D774779A1E53D5C1012EC855CD6567D6E9F779299DDF0D07E96DDE6C0679F4DF | +-------+------------------------------------------------------------------+ | 18 | D7AF3C8E53B2B1B5B84E5542353FC80C28B2297238469E189F7C83ACB666943B | +-------+------------------------------------------------------------------+ | 19 | DCDCACAFACB1F8A9474FF714DD418E0104E854B87AD07220CE5E4564568CE997 | +-------+------------------------------------------------------------------+ | 20 | ED1C4B8B6F7ED4F93A9B06F4FBE4BB28782994BC121CD0540F9DE62FF22FA78F | +-------+------------------------------------------------------------------+ | 21 | F690E30B6EE25C153EFFC5620FD7EC61481A449A127B54A67C7AFC4C13D7917F | +-------+------------------------------------------------------------------+ | 22 | FA816C631249922539EEEB3E8F73D3EF4EA997AB729751ADEBCEA3D0DE32A63B | +-------+------------------------------------------------------------------+