Android Malware (Analysis | Scoring) System

Overview

Black Hat Arsenal HITB rootcon defcon
build status codecov license python version PyPi Download
Twitter
An Obfuscation-Neglect Android Malware Scoring System

Quark-Engine is also bundled with Kali Linux, BlackArch. :shipit: A trust-worthy, practical tool that's ready to boost up your malware reverse engineering. https://twitter.com/quarkengine

Quark Script - Ecosystem for Mobile Security Tools

Innovative & Interactive

The goal of Quark Script aims to provide an innovative way for mobile security researchers to analyze or pentest the targets.

Based on Quark, we integrate decent tools as Quark Script APIs and make them exchange valuable intelligence to each other. This enables security researchers to interact with staged results and perform creative analysis with Quark Script.

Dynamic & Static Analysis

In Quark script, we integrate not only static analysis tools (e.g. Quark itself) but also dynamic analysis tools (e.g. objection).

Re-Usable & Sharable

Once the user creates a Quark script for specific analysis scenario. The script can be used in another targets. Also, the script can be shared to other security researchers. This enables the exchange of knowledges.

More APIs to come

Quark Script is now in a beta version. We'll keep releasing practical APIs and analysis scenarios.

See API document here.

2022 CWE Top 25 Showcases

Quark Web Report

With the following command, you can easily analyze the Android sample and output the web report.

See our demo here.

quark -a sample.apk -s -w quark_report.html

Navigate the Rules

To navigate the latest rules for Quark, please visit the Detection Rules Viewer! In this viewer, you can use labels and keywords to search for the rules you need.

Illustration

An illustration of the rule viewer

Why Quark?

Android malware analysis engine is not a new story. Every antivirus company has their own secrets to build it. With curiosity, we develop a malware scoring system from the perspective of Taiwan Criminal Law in an easy but solid way.

We have an order theory of criminal which explains stages of committing a crime. For example, crime of murder consists of five stages, they are determined, conspiracy, preparation, start and practice. The latter the stage the more we’re sure that the crime is practiced.

According to the above principle, we developed our order theory of android malware. We developed five stages to see if the malicious activity is being practiced. They are 1. Permission requested. 2. Native API call. 3. Certain combination of native API. 4. Calling sequence of native API. 5. APIs that handle the same register. We not only define malicious activities and their stages but also develop weights and thresholds for calculating the threat level of a malware.

Malware evolved with new techniques to gain difficulties for reverse engineering. Obfuscation is one of the most commonly used techniques. In this talk, we present a Dalvik bytecode loader with the order theory of android malware to neglect certain cases of obfuscation.

Our Dalvik bytecode loader consists of functionalities such as 1. Finding cross reference and calling sequence of the native API. 2. Tracing the bytecode register. The combination of these functionalities (yes, the order theory) not only can neglect obfuscation but also match perfectly to the design of our malware scoring system.

Easy to Use and Reading Friendly Report

Quark provides 7 flexible report formats and 2 powerful features to boost your analysis.

7 Types of Report Formats:

2 Features to Boost Your Analysis:

Please see below for more details.

Quick Start

Requirements

  • Python 3.8+
  • git
  • graphviz
  • click >= 8.0.1 (For CLI supports)

Installation

$ pip3 install -U quark-engine

Get the Latest Rules

Now you can download the Quark official ruleset to your home directory with a simple command.

$ freshquark

Check --help to see the detailed usage description.

$ quark --help

Test It Out

You may refer to the Quark Engine Document for more details of testing and development information.

Available Report or Features

Summary Report

Examine with rules.

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -s

There is the possibility to select only one label to filter the rules:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -s network

There is also the possibility to select only one rule:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -s <path_to_the_rule>
Result

Note that if you want to select the default rules of Quark, the path to the ruleset is $HOME/.quark-engine/quark-rules/rules/.

Detail Report

This is how we examine a real android malware (candy corn) with one single rule (crime).

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -d

There is the possibility to select only one label to filter the rules:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -d network

There is also the possibility to select only one rule:

quark -a 14d9f1a92dd984d6040cc41ed06e273e.apk -d <path_to_the_rule>
Result

Note that if you want to select the default rules of Quark, the path to the ruleset is $HOME/.quark-engine/quark-rules/rules/.

Label-based Report

Check which topic (indicated by labels) of the malware is more aggressive.

quark -a Ahmyth.apk -l detailed
Result

Behaviors Comparison Radar Chart

With the following command, you can compare different APK actions based on the max confidence of rule labels and generate a radar chart.

quark -a first.apk -a second.apk -C
Result

Call Graph for Every Potential Malicious Activity

You can add the -g option to the quark command, and you can get the call graph (only those rules match with 100% confidence)

quark -a Ahmyth.apk -s -g
Result

Rules Classification

You can add the -c option to the quark command, and you can output the rules classification with the mutual parent function (only those rules match with 100% confidence).

quark -a Ahmyth.apk -s -c
Result

Radiocontrast

Radiocontrast is a Quark API that quickly generates Quark rules from a specified method. It builds up 100% matched rules by using native APIs in that method. The feature lets you easily expose the behavior of a method, just like radiocontrast.

For example, we want to know the behavior of a method called Lahmyth/mine/king/ahmyth/CameraManager;->startUp(I)V, in Ahmyth.apk. Here is the simplest way for Radiocontrast usage:

from quark.radiocontrast import RadioContrast

# The target APK.
APK_PATH = "~/apk-malware-sample/Ahmyth.apk"

# The method that you want to generate rules. 
TARGET_METHOD = "Lahmyth/mine/king/ahmyth/CameraManager;->startUp(I)V"

# The output directory for generated rules.
GENERATED_RULE_DIR = "~/generated_rules"

radiocontrast = RadioContrast(
 APK_PATH, 
 TARGET_METHOD, 
 GENERATED_RULE_DIR
)

# param: web_editor: the file path for generated rules web editor.
# param: percentile_rank: the percentile number of api filter rank. 
#        For example, percentile_rank=0.2 use 20% least usage count APIs to generate rules
radiocontrast.generate_rule(percentile_rank=0.2, web_editor="ahmyth.html")

Parallelizing Quark

Now Quark supports multiprocessing for analyzing APKs parallelly. By adding the option --multi-process, you can set the number of processes.

Note that Quark-Engine automatically limits this value to be less than or equal to the number of CPUs - 1. This restriction is done to avoid the CPU from running out of memory.

quark -a Ahmyth.apk -s --multi-process 4

Upcoming Unstable Feature

Now Quark also supports Rizin as one of our Android analysis frameworks. You can use option --core-library with rizin to enable the Rizin-based analysis library.

quark -a Ahmyth.apk -s --core-library rizin

Acknowledgments

The Honeynet Project

Honeynet.org logo

Google Summer Of Code

Quark-Engine has been participating in the GSoC under the Honeynet Project!

Stay tuned for the upcoming GSoC! Join the Honeynet Slack chat for more info.

Core Values of Quark Engine Team

  • We love battle fields. We embrace uncertainties. We challenge impossibles. We rethink everything. We change the way people think. And the most important of all, we benefit ourselves by benefit others first.
Comments
  • macOS Dependencies

    macOS Dependencies

    Dependencies error during the installation of the quark-engine on macOS Catalina - 10.15.7.

    Error : - pkg_resources.DistributionNotFound: The 'androguard==3.4.0a1' distribution was not found and is required by quark-engine

    Screenshot 2020-11-02 at 6 18 56 PM test-required issue-processing-state-01 
    opened by yashomer1994 16
  • Add quark script case for CWE 319

    Add quark script case for CWE 319

    Detect CWE-319 in Android Application (ovaa.apk)

    This scenario seeks to find the Cleartext Transmission of Sensitive Information. See CWE-319 for more details.

    Let's use this APK and the above APIs to show how the Quark script finds this vulnerability. This sample uses the package Retrofit to request Web APIs, but the APIs use cleartext protocols.

    We first design a detection rule setRetrofitBaseUrl.json to spot on behavior that sets the base URL of the Retrofit instance. Then, we loop through a custom list of cleartext protocol schemes and use API behaviorInstance.hasString to filter arguments that are URL strings with cleartext protocol.

    Quark Script CWE-319.py

    from quark.script import runQuarkAnalysis, Rule
    
    SAMPLE_PATH = "./ovaa.apk"
    RULE_PATH = "setRetrofitBaseUrl.json"
    
    PROTOCOL_KEYWORDS = [
        "http",
        "smtp",
        "ftp"
    ]
    
    
    ruleInstance = Rule(RULE_PATH)
    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
    
    for setRetrofitBaseUrl in quarkResult.behaviorOccurList: 
        for protocol in PROTOCOL_KEYWORDS:
            
            regexRule = f"{protocol}://[0-9A-Za-z./-]+"
            cleartextProtocolUrl = setRetrofitBaseUrl.hasString(regexRule, True)
            
            if cleartextProtocolUrl:
                print(f"CWE-319 detected!")
                print(f"Here are the found URLs with cleartext protocol:")
                print("\n".join(cleartextProtocolUrl))
    

    Quark Rule: setRetrofitBaseUrl.json

    {
        "crime": "Set Retrofit Base Url",
        "permission": [],
        "api": 
        [
            {
                "descriptor": "()V",
                "class": "Lretrofit2/Retrofit$Builder;",
                "method": "<init>"
            },
            {
                "descriptor": "(Ljava/lang/String;)Lretrofit2/Retrofit$Builder;",
                "class": "Lretrofit2/Retrofit$Builder;",
                "method": "baseUrl"
            }
        ],
        "score": 1,
        "label": []
    }
    

    Quark Script Result

    $ python3 CWE-319.py
    CWE-319 detected!
    Here are the found URLs with cleartext protocol:
    http://example.com./api/v1/
    
    pr-processing-state-06 
    opened by zinwang 12
  • Porting androguard to quark-engine

    Porting androguard to quark-engine

    Porting androguard version 3.4 to quark-engine project to prevent androguard from no longer being maintained.

    In the past using androguard, we all have to rely on pip install androguard from Github, but there is a problem, if something goes wrong with androguard, quark-engine might crash.

    But in fact, we only need the decompile function of androguard, so I ported this function to our project.

    In addition to improving the stability of quark-engine, it also increases the speed of pipenv installation.

    enhancement not ready 
    opened by krnick 11
  • Add Quark Script APIs to detect CWE-532

    Add Quark Script APIs to detect CWE-532

    Detect CWE-532 in Android Application (dvba.apk)

    This scenario seeks to find insertion of sensitive information into Log file. See CWE-532 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    First, we use API findMethodInAPK to locate the method log.d. Then we use API methodInstance.getArguments to get the argument that input to log.d. Finally, we use keywords such as "token", "password", and "decrypt" to check if arguments include sensitive data. If the answer is YES, that may cause sensitive data leakage into log file.

    You can use your own keywords in the keywords list to detect sensitive data.

    API Spec

    findMethodInAPK(samplePath, targetMethod)

    • Description: Find the target method in APK
    • params:
      1. samplePath: Target file
      2. targetMethod: A python list contains class name, method name, and descriptor of target method
    • return: python list contains caller method instance of target method

    Detect CWE-532 in Android Application (dvba.apk)

    Quark Script CWE-532.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "dvba.apk"
    TARGET_METHOD = [
        "Landroid/util/Log;",                       # class name
        "d",                                        # method name
        "(Ljava/lang/String; Ljava/lang/String;)I"  # descriptor
    ]
    CREDENTIAL_KEYWORDS = [
        "token",
        "decrypt",
        "password"
    ]
    
    methodsFound = findMethodInAPK(SAMPLE_PATH, TARGET_METHOD)
    
    for debugLogger in methodsFound:
        arguments = debugLogger.getArguments()
    
        for keyword in CREDENTIAL_KEYWORDS:
            if keyword in arguments[1]:
                print(f"CWE-532 is detected in method, {debugLogger.fullName}") 
    

    Quark Script Result

    $ python CWE-532.py 
    CWE-532 is detected in method, Lcom/google/firebase/auth/FirebaseAuth; d (Lc/c/b/h/o;)V
    
    pr-processing-state-04 
    opened by pulorsok 10
  • Add new feature to get url and ips from apk string

    Add new feature to get url and ips from apk string

    Use the following code can get the url and the ip address:

    from androguard.misc import AnalyzeAPK
    import re
    
    a,d,dx= AnalyzeAPK("Ahmyth.apk")
    
    
    ipv4_address = re.compile(r"\b(?:[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-2][0-3])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-5])\b")
    
    regex = r"(?i)\b((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:'\".,<>?«»“”‘’]))"
    
    
    
    for i in dx.get_strings():
        url = re.findall(regex,i.get_value())
    
        if url:
    
            print("[URL Found]")
    
            print([x[0] for x in url])
    
        ips = re.findall(ipv4_address,i.get_value())
    
        if ips:
    
            print("[IP Found]")
    
            print(ips)
    
    
    enhancement 
    opened by krnick 10
  • Help section for --multi-process

    Help section for --multi-process

    Help section for --multi-process made more descriptive in respect to max number of process that can be used. w.r.t issue https://github.com/quark-engine/quark-engine/issues/315

    documentation 
    opened by PaulNicolasHunter 9
  • Refactor/enrich the rest of Quark's tests

    Refactor/enrich the rest of Quark's tests

    Description

    Please refer here. For the replacement of Androguard, I want to write tests to improve the test coverage of Quark. This is the final PR. (You can find the previous PR here )

    In this PR, I focus on these files.

    • quark/Objects/analysis.py
    • quark/Objects/quarkrule.py
    • quark/report.py
    • quark/freshquark.py
    • all seven files in quark/utils (colors.py, graph.py, pprint.py, output.py, etc.)

    Code Changes

    • For the existing tests: Divide them by their test scenarios.
    • For the new tests: Add them according to two strategies and the coding guideline discussed in the above issue.

    | Files | # Tests added for normal inputs | # Tests added for error inputs | # Tests modified | | ------------------- | :-----------------------------: | :----------------------------: | :--------------: | | test_analysis.py | 1 | 0 | 0 | | test_quarkrule.py | 1 | 4 | - | | test_report.py | 4 | 6 | - | | test_freshquark.py | 2 | 0 | - | | test_colors.py | 1 | 0 | - | | test_graph.py | 3 | 0 | - | | test_output.py | 3 | 0 | - | | test_pprint.py | 5 | 0 | - | | test_regex.py | 11 | 3 | - | | test_tools.py | 5 | 1 | 1 | | test_weight.py | 0 | 0 | 3 | | Total | 36 | 14 | 4 |

    Related Discussions

    1. issue https://github.com/quark-engine/gsoc2021-ShengFengLu/issues/1
    2. Discussion https://github.com/quark-engine/quark-engine/discussions/173
    enhancement 
    opened by haeter525 9
  • Creation of option to print Report based on Label Rules

    Creation of option to print Report based on Label Rules

    With the following pull request we (me, @cryptax, @Dil3mm3 and @3aglew0) propose you to add another option to print a report based on labels specified inside a rule.

    We have noticed they are not used and it could be interesting to print a short report taking into consideration these values. Here an example of output where it is printed for each label (found inside the rules) a description (see explanation below), the number of rules where this label is contained and other detailes described better below.

    example_of_output

    This option permits to print a report based on label with two different levels of details

    1. quark -a malware_to_be_analysed.apk -r rule_dir -l max print the maximum score for each label (as image above), this would permit us to understand in which topic (represented by label) a malware is more aggressive. For example, looking at the previous output we can see the malware performs with success malicious action related to location, calllog and sms.
    2. quark -a malware_to_be_analysed.apk -r rule_dir -l detailed print a detail report with all the previous information plus:
      • Number of rules (with that label) which have a score >= 80%
      • Average score and standard deviation (computed over the all the scores obtained by that specific label). Interesting considerations could be the following: label with high average and low standard deviation would allow us to say the malware performs a series of malicious actions (with success); then, a high standard deviation means there are some rules which take high score so the malware performs with success only some actions with that label; finally, a low standard deviation and a low average on a certain label means the malware is not performing malicious action on that topic. Example of output:

    output_detailed_report

    The column description allows to add a short and representative sentence about a label, for example for the callog the relative description is Retrieve or manipulate sensitive data from call log. In order to implement a flexible solution we have thought to add a csv file in the same directory of rules with the following structure label,description. We have chosen csv extension because it is easy to manipulate and it wasn't possible to use a json format since in that folder all json files are interpreted as rules. If this file is not present or a label,description pair is absent, the corresponding cell in the label report is filled with -. Example of output

    output_with_desc

    I leave here a sample of the csv file to be put in the folder of the rules (label_desc.csv)

    Do not hesitate to contact me for any type of clarification

    enhancement 
    opened by ciastron 9
  • Add new feature for generate Quark web report

    Add new feature for generate Quark web report

    Add new feature for generate Quark report. With the following command, we can easily analyze the Android sample and output the web report.

    See the demo here.

    quark -a sample.apk -s -w quark_report.html
    

    pr-processing-state-05 
    opened by pulorsok 7
  • Have Click as an optional dependency

    Have Click as an optional dependency

    Hey everyone!

    Is your feature request related to a problem? Please describe. Quark does not separate optional dependency, like Click, from required dependency (I suppose everything else). Since Quark can be used as a module, and in this case Click it is not required at all, will solve some compatibility issues with other libraries, i.e. celery >= 5.0.0.

    Describe the solution you'd like

    Use the Optional Dependency feature in setup.py to separate the Click package from the remaining requirements. Explain in Readme.md how the user should call setup.py to be able to use the cli commands

    Describe alternatives you've considered None

    Additional context

    If the solution is considered acceptable, or another solution that I did not think of, for this issue is found, I can work on the implementation and the PR myself.

    dependencies 
    opened by 0ssigeno 7
  • Methods from the

    Methods from the "Extended Class"

    Hi all, my friends (@Dil3mm3 and @3aglew0) and I are working to implement new quark rules (version 21.3.2) for a university semester project (our supervisor is @cryptax). We were analyzing Brazking malware (hash SHA256 be3d8500df167b9aaf21c5f76df61c466808b8fdf60e4a7da8d6057d476282b6, let us know if you want the sample).

    In a nutshell the problem we have encountered is the following: we noticed Quark is not able to detect all the API called from an object of a class which extends a noticed Android Class. The root of cause comes from the signature of the API that in the smali code appears with the name of the child class.

    To explain better this problem, we provide the following example: Acessibilidade class is a custom Brazking class which extends Android AccesibilityService class.

    package com.gservice.autobot;
    
    ...
    
    public class Acessibilidade extends AccessibilityService{
        ...
    }
    

    Acessibilidade is widely used by this malware to perform accessibilty service actions, as the one below:

    public void Clicar_Pos(int i, int i2) {
            Acessibilidade acessibilidade = this.Contexto;
            if (acessibilidade != null) {
                try {
                    Clica(i, i2, acessibilidade.getRootInActiveWindow(), 0);
                } catch (Exception unused) {
                }
            }
        }
    

    The incriminant line of code is the one where it is called the method getRootInActionWindow which in the smali code appears as following

    invoke-virtual {v0}, Lcom/gservice/autobot/Acessibilidade;->getRootInActiveWindow()Landroid/view/accessibility/AccessibilityNodeInfo;

    In the Context of Quark Rules it makes sense link this API with the PerformAction API of AccessibilityNodeInfo class

    public void Clica(int i, int i2, AccessibilityNodeInfo accessibilityNodeInfo, int i3) {
    
            ...
        
                    accessibilityNodeInfo.performAction(16);
            
            ...
        
        }
    

    Finally we have created the following rule (note that the first API is written with the signature of AccessibilityService class and not Acessibilidade since it would not have sense make a rule so specific for a single malware)

    {
        "crime": "Use accessibility service to perform action getting root in active window",
        "permission": [],
        "api": [
            {
                "class": "Landroid/accessibilityservice/AccessibilityService;",
                "method": "getRootInActiveWindow",
                "descriptor": "()Landroid/view/accessibility/AccessibilityNodeInfo;"
            },
            {
                "class": "Landroid/view/accessibility/AccessibilityNodeInfo;",
                "method": "performAction",
                "descriptor": "(I)Z"
            }
        ],
        "score": 1,
        "label": [
            "accessibility service",
            "perform action"
        ]
    }
    

    This behaviour may have some repercussions on the functionalities of Quark: launching this rule over Brazking malware the score we obtain is 40% since the first API is not caught.

    To sum up, we think that if a class extends another Android class (as in the case of BrazKing for the accessibility service, see class Acessibilidade that extends AccessibilityService), and a method M of the super class is called, it appears in the smali code with the signature of the custom class. If we defined in Quark a rule with that method M, from what we have noticed, Quark is not able to detect that M is actually a method of the super class.

    Our worry is the following: if the malware author writes a class which extends an android general class (as it happens in Brazking for AccessibilityService), quark will never detect all the methods of the super class since in the smali code they appear with the signature of the child class.

    Thanks in advance, hope to hear you soon

    work-in-progress issue-processing-state-06 
    opened by ciastron 7
  • [Quark#446] Add quark script case for CWE-295

    [Quark#446] Add quark script case for CWE-295

    Detect CWE-295 in Android Application (InsecureShop.apk)

    This scenario seeks to find Improper Certificate Validation. See CWE-295 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    We use the API findMethodInAPK to locate all SslErrorHandler.proceed methods. Then we need to identify whether if the method WebViewClient.onReceivedSslError is overrode by its subclass.

    First, we check and make sure that the MethodInstance.name is onReceivedSslError, and the MethodInstance.descriptor is (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V.

    Then we use the method API MethodInstance.findSuperclassHierarchyto get the supclass list of the method's caller class.

    Finally, we check the Landroid/webkit/WebViewClient; is on the supclass list. If YES , that may cause CWE-295 vulnerability.

    API Spec

    MethodInstance.findSuperclassHierarchy()

    • Description: Find all superclass hierarchy of this method object.
    • params: None
    • Description: Python list contains all superclas's name of the this method.

    Quark Script CWE-295.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "insecureShop.apk"
    TARGET_METHOD = [
        "Landroid/webkit/SslErrorHandler;",  # class name
        "proceed",                          # method name
        "()V"                               # descriptor
    ]
    OVERRIDE_METHOD = [
        "Landroid/webkit/WebViewClient;",  # class name
        "onReceivedSslError",              # method name
        # descriptor
        "(Landroid/webkit/WebView;Landroid/webkit/SslErrorHandler;Landroid/net/http/SslError;)V"
    ]
    
    for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
        if (sslProceedCaller.name == OVERRIDE_METHOD[1] and
           sslProceedCaller.descriptor == OVERRIDE_METHOD[2] and
           OVERRIDE_METHOD[0] in sslProceedCaller.findSuperclassHierarchy()):
            print(f"CWE-295 is detected in method, {sslProceedCaller.fullName}")
    
    

    Quark Script Result

    $python3 CWE-295.py
    Requested API level 29 is larger than maximum we have, returning API level 28 instead.
    CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V
    
    pr-processing-state-04 
    opened by PoJenC 1
  • Add quark script case for CWE-295

    Add quark script case for CWE-295

    Detect CWE-295 in Android Application (InsecureShop.apk)

    This scenario seeks to find Improper Certificate Validation. See CWE-295 for more details.

    Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

    We use the API findMethodInAPK to locate all SslErrorHandler.proceed methods. Then we need to identify whether if the method WebViewClient.onReceivedSslError is overrode by its subclass.

    First, we check and make sure that the MethodInstance.name is onReceivedSslError, and the MethodInstance.descriptor is (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V.

    Then we use the method API MethodInstance.findSuperclassHierarchyto get the supclass list of the method's caller class.

    Finally, we check the Landroid/webkit/WebViewClient; is on the supclass list. If YES , that may cause CWE-295 vulnerability.

    API Spec

    MethodInstance.findSuperclassHierarchy()

    • Description: Find all superclass hierarchy of this method object.
    • params: None
    • Description: Python list contains all superclas's name of the this method.

    Quark Script CWE-295.py

    from quark.script import findMethodInAPK
    
    SAMPLE_PATH = "insecureShop.apk"
    TARGET_METHOD = [
        "Landroid/webkit/SslErrorHandler;",  # class name
        "proceed",                          # method name
        "()V"                               # descriptor
    ]
    OVERRIDE_METHOD = [
        "Landroid/webkit/WebViewClient;",  # class name
        "onReceivedSslError",              # method name
        # descriptor
        "(Landroid/webkit/WebView;Landroid/webkit/SslErrorHandler;Landroid/net/http/SslError;)V"
    ]
    
    for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
        if (sslProceedCaller.name == OVERRIDE_METHOD[1] and
           sslProceedCaller.descriptor == OVERRIDE_METHOD[2] and
           OVERRIDE_METHOD[0] in sslProceedCaller.findSuperclassHierarchy()):
            print(f"CWE-295 is detected in method, {sslProceedCaller.fullName}")
    
    

    Quark Script Result

    $python3 CWE-295.py
    Requested API level 29 is larger than maximum we have, returning API level 28 instead.
    CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V
    
    issue-processing-state-03 
    opened by PoJenC 0
  • [#444] Adjust CWE Show Case format in README.md.

    [#444] Adjust CWE Show Case format in README.md.

    CWE Showcases

    • CWE-020 Improper Input Validation
    • CWE-089 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-094 Improper Control of Generation of Code ('Code Injection')
    • CWE-312 Cleartext Storage of Sensitive Information
    • CWE-319 Cleartext Transmission of Sensitive Information
    • CWE-327 Use of a Broken or Risky Cryptographic Algorithm
    • CWE-532 Insertion of Sensitive Information into Log File
    • CWE-749 Exposed Dangerous Method or Function
    • CWE-780 Use of RSA Algorithm without OAEP
    • CWE-798 Use of Hard-coded Credentials
    • CWE-921 Storage of Sensitive Data in a Mechanism without Access Control
    • CWE-926 Improper Export of Android Application Components
    work-in-progress pr-processing-state-06 
    opened by PoJenC 6
  • Add docs for CWE team

    Add docs for CWE team

    Quark CWE team

    The Quark CWE team is responsible for developing Quark Scripts to detect Common Weakness Enumeration (CWE) vulnerabilities in APKs. We also maintain the Quark Script document, API, and repository.

    Goals for 2023

    Our goals for 2023 consist of three stages. First, we will focus on increasing the number of CWE Quark Scripts to 30 and optimizing the Quark Script API by developing CWE Quark Scripts.

    Next, with a sufficient number of Quark Scripts, we will develop a system to automatically detect vulnerabilities in online APKs.

    Finally, based on the sufficient and quality Quark Script API, we will focus on developing a web system that allows users to easily combine Quark Script APIs and create their own scripts without any coding knowledge.

    Responsibilities

    We aims to make the Quark Script development process as straightforward as possible, while ensuring that the scripts are accurate and reliable. We strive to create clear and concise documentation, as well as well-designed APIs that are easy to use. Our responsibilities include:

    • Developing Quark Scripts through a five-step process:
      1. Choosing a CWE number and clearly explaining the vulnerability definition.
      2. Finding an APK sample and explaining the vulnerable code.
      3. Designing the detection process step by step.
      4. Defining a new Quark Script API (including description, input, and output) if necessary.
      5. Developing the Quark Script in a clear and easy-to-use manner.
    • Managing the Quark Script repository by:
      • Updating the repository with new Quark Scripts.
      • Updating the documentation for Quark Scripts.
    • Maintaining the Quark Script API by:
      • Developing test units for each Quark Script API.
      • Reviewing and modifying the description, input, and output for each API.

    We aim to ensure that all of our work is easy to read and follows proper grammar and usage.

    documentation pr-processing-state-05 
    opened by pulorsok 2
Releases(v22.12.1)
  • v22.12.1(Dec 28, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-20 and CWE-79. (https://github.com/quark-engine/quark-engine/pull/434 and https://github.com/quark-engine/quark-engine/pull/436)
    Source code(tar.gz)
    Source code(zip)
  • v22.11.1(Nov 30, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-319 and CWE-327. (#413 and #428)

    Here's the relevant document.

    UI Enhancements

    • Fix typos in Quark Web Report. (#414 and #419)
    • Make grid lines in Quark Web Report more visible. (#419)

    Document enhancements

    • Spotlight Quark Script in README. (#424)
    • Add Quark Script Quick Start instruction. (#422)
    Source code(tar.gz)
    Source code(zip)
  • v22.10.1(Oct 26, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-532 and CWE-780. (#396 and #399)

    Here's the relevant document.

    Bug Fix

    • Fix CLI giving outdated path to the default ruleset. (#389)

    New Program

    • Introduce Quark MIT Program.
    Source code(tar.gz)
    Source code(zip)
  • v22.9.1(Sep 29, 2022)

    New Features

    • Add new Quark Script APIs to detect CWE-89, CWE-926, CWE-312, and CWE-749. (#377, #381, #379, and #374)

    Here's the relevant document.

    New Core Members

    • Introduce new core members, AnWei Kung, Zin Wong, and Zee. (#387)

    Package Dependency Update

    • Add frida and ciphey as the dependencies. (#374)
    Source code(tar.gz)
    Source code(zip)
  • v22.7.1(Jul 27, 2022)

    New Features

    • Present a new powerful project, Quark Script! (#371)
    • Add new Quark Script APIs for CWE-94, CWE-798, and CWE-921 detection. (#372, #373, and 998947d)

    Please check here for the full document.

    Document enhancement

    • Enhance README to make it user-friendly. (#366)

    Dependency updates

    • Specify CI to use Meson 0.62.0. (#368)
    • Bump lxml from 4.8.0 to 4.9.1. (#370)
    Source code(tar.gz)
    Source code(zip)
  • v22.6.1(Jun 29, 2022)

  • v22.5.1(May 25, 2022)

    New Features

    • Introduce a new visualization of analysis results, the Quark web report. (#345)
    • Add support for loading rules recursively. (#346)

    Bug Fixes

    • Update CI tests for the audio recording ruleset. (#341)
    • Update CI tests for the contact info accessing ruleset. (#343)

    Other

    • Rearrange the file structure of the default ruleset. (quark-rules#26)
    • Remove outdated content in README. (#348)
    • Update the author information in the PiPy package. (#351)
    Source code(tar.gz)
    Source code(zip)
  • v22.4.1(Apr 27, 2022)

    New feature

    • Introduce the rule generation feature, Radiocontrast. (#325)

    Bug fix

    • Update smoke test for the release of the SMS message stealing ruleset. (#327)
    Source code(tar.gz)
    Source code(zip)
  • v22.3.1(Mar 28, 2022)

    New features

    • Add a limit to the number of processes available for parallel analysis. Thank @PaulNicolasHunter for this work. (#311 and #315)
    • Update analysis library for Rizin v0.3.0 and above. (#314)

    Dependency update

    • Update pillow from 9.0.0 to 9.0.1. (#311)
    Source code(tar.gz)
    Source code(zip)
  • v22.2.1(Feb 15, 2022)

    Bug fixed

    • AttributeError occured when using Rizin as the core library. (#301)

    Dependencies update

    • Specify the minimal supported version of prettytable to 1.0.0. (#304)
    • Update pillow from 8.4.0 to 9.0.0. (#300)
    • Update ipython from 8.0.0 to 8.0.1. (#303)
    Source code(tar.gz)
    Source code(zip)
  • v22.1.1(Jan 4, 2022)

  • v21.11.2(Nov 25, 2021)

    Bugs fixed

    • Fix missing comma in Debian/control. Thanks to @Hagb for this patch. (#278)
    • Fix import errors with Graphviz 0.18. Thanks to @nplesak for this patch. (#288)

    Dependency update

    • Specify the highest compatible versions of the dependency packages. (#290)
    Source code(tar.gz)
    Source code(zip)
  • v21.11.1(Nov 2, 2021)

    New Feat

    • behaviors_comparison_radar_chart can save as images now. Thanks to @matteodalgrande for contributing the feature. (#273)

    Bugs fixed

    • Remove tqdm on loading rule files. (#270)
    • Add try-catch block to prevent potential crash problems. (#276)
    • Fix JSON report format that caused Jadx and APKLab to fail to load. (#277, #281)

    Dependency update

    • Required Python version changed from 3.7 to 3.8. (#267)
    Source code(tar.gz)
    Source code(zip)
  • v21.10.2(Oct 6, 2021)

    New Feat

    1. Quark-Engine can detect APIs in the extended classes now. (#247)
    2. Rules can write into an array to reduce the number of files and IO. (#248)
    3. Graph data can be dump in JSON format. (#250)
    4. Improve the detail report and JSON report when rules reached 60%. (#254)
    5. Add FAQ page and Organization page into the document. (#241, #253, #255)

    Bugs fixed

    1. Add hints when using freshquark and specifying rules. (#244)
    2. Reduce file IO on loading rules. (#248)
    3. Spaces between arguments in rules are no longer needed. (#249)

    Dependency update

    1. Update pillow from 8.3.1 to 8.3.2. (#246)
    Source code(tar.gz)
    Source code(zip)
  • v21.10.1(Oct 6, 2021)

    New Feat

    1. Quark-Engine can detect APIs in the extended classes now. (#247)
    2. Rules can write into an array to reduce the number of files and IO. (#248)
    3. Graph data can be dump in JSON format. (#250)
    4. Improve the detail report and JSON report when rules reached 60%. (#254)
    5. Add FAQ page and Organization page into the document. (#241, #253, #255)

    Bugs fixed

    1. Add hints when using freshquark and specifying rules. (#244)
    2. Reduce file IO on loading rules. (#248)
    3. Spaces between arguments in rules are no longer needed. (#249)

    Dependency update

    1. Update pillow from 8.3.1 to 8.3.2. (#246)
    Source code(tar.gz)
    Source code(zip)
  • v21.8.1(Aug 24, 2021)

    1. Change travis CI to Github Actions
    2. Supports parallel analysis
    3. Optimize the performance
    4. Fix graph recursion issue
    5. Fully support Rizin analysis
    6. Disable logging in Quark API usage
    7. Fix threshold filtering in the detailed report
    Source code(tar.gz)
    Source code(zip)
  • v21.7.2(Jul 20, 2021)

  • v21.7.1(Jul 15, 2021)

    1. Support a new Android reversing engineer framework, Rizin to analyze the APK. (#205)
    2. Making click package optional to install. (#214) @0ssigeno
    3. Improve the tainted analysis by @haeter525 in bytecode loader
    4. Add an Optional Parameter Filter For JSON Rules (#212)
    5. Adjust some directory names. Objects->core, Evaluator->evaluator.
    6. Add VirusTotal analysis module by @pulorsok. (#195)
    7. More tests for Quark by @haeter525. (#189)
    8. Add a new feature to show Parent Functions' Cross-References In Rule Classification by @haeter525. (#192)
    Source code(tar.gz)
    Source code(zip)
  • v21.6.3(Jun 24, 2021)

  • v21.6.2(Jun 9, 2021)

    1. Refactor the code in graph.py and cli interface.

    2. Replace the prompt package simple-term-menu with the prompt-toolkit package to support windows/Mac/Linux and Kali Linux.

    3. Adjust the description in the click option to make the word more precise.

    4. Add new option to show the version of quark

    Source code(tar.gz)
    Source code(zip)
  • v21.6.1(Jun 7, 2021)

    New features:

    1. Behaviors comparison radar chart for different APKs. (#171)
    2. Support summary report and detail report for single rule/label. (#176)

    Update:

    1. Remove duplicate code.
    2. Lock version instead of installing the latest package, such as click package for better stability.
    3. Update new command-line usage on documentation.
    Source code(tar.gz)
    Source code(zip)
  • v21.5.1(May 28, 2021)

    1. Add a new report to Quark-Engine, which is a label-based report(PR from #165)
    2. Support the summary report and detailed report for a single rule/label analysis (PR from #167)
    3. update the documentation for more usage of Quark
    4. Add new python package dependency, python3-pandas in Debian/control.

    Special thanks to @cryptax, @Dil3mm3, @ciastron, and @3aglew0 for their excellent work!

    Source code(tar.gz)
    Source code(zip)
  • v21.4.3(Apr 7, 2021)

  • v21.4.2(Apr 7, 2021)

  • v21.4.1(Apr 7, 2021)

    1. Move the log file to the current directory.
    2. Make freshquark available for download the latest rules via git clone and update via git pull inside.
    3. Modify the settings of the debian package.
    Source code(tar.gz)
    Source code(zip)
  • v21.3.4(Mar 30, 2021)

    1. Add command-line options to display methods including native Android API, custom method and all methods.
    2. Delete the automatic check for rules updates in the CLI.
    3. Do not delete the existing quark-rules git directory.
    4. Promote honeynet and GSoC.
    5. Quark will be added to Kali Linux in the near future.
    6. change the log file to current directory
    Source code(tar.gz)
    Source code(zip)
  • v21.3.3(Mar 13, 2021)

  • v21.3.2(Mar 9, 2021)

    1. Redesigned Quark's rules to make it easier to write.
    {
        "crime": "Get absolute path of file and put it to JSON object",
        "permission": [],
        "api": [
            {
                "class": "Ljava/io/File;",
                "method": "getAbsolutePath",
                "descriptor": "()Ljava/lang/String;"
            },
            {
                "class": "Lorg/json/JSONObject;",
                "method": "put",
                "descriptor": "(Ljava/lang/String; Ljava/lang/Object;)Lorg/json/JSONObject;"
            }
        ],
        "score": 1,
        "label": [
            "file"
        ]
    }
    
    Source code(tar.gz)
    Source code(zip)
  • 21.3.1(Mar 8, 2021)

  • v21.02.2(Feb 26, 2021)

    1. Better wording in the command line.
    2. Add feature of outputing Android API in command line with option -i.
    3. Fix some regular expression in forensic module.
    4. Fix the score sum issue.
    5. Remove duplicated crime description in rule classification.
    6. More test case with previous modules

    We got accepted by Black Hat Asia 2021 !!!

    Source code(tar.gz)
    Source code(zip)
A program analysis tool to find cryptographic misuse in Java and Android.

A program analysis tool to find cryptographic misuse in Java and Android.

null 92 Dec 15, 2022
A Program Analysis Toolkit for Android

PATDroid PATDroid is a collection of tools and data structures for analyzing Android applications and the system itself. We intend to build it as a co

Mingyuan Xia 103 Dec 10, 2022
Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.

Document Index 1.overview 2.startup 3.how to write rules 4.how to find compliance problems use appshark 5.a path traversal game 6.argument 7.engine co

Bytedance Inc. 998 Jan 7, 2023
A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.

___ ___ / | \ ____ __ __ ______ ____ / ~ \/ _ \| | \/ ___// __ \ \ Y ( <_> )

NCC Group Plc 1.2k Dec 21, 2022
🔓 Kotlin version of the popular google/easypermissions wrapper library to simplify basic system permissions logic on Android M or higher.

?? Kotlin version of the popular google/easypermissions wrapper library to simplify basic system permissions logic on Android M or higher.

Madalin Valceleanu 327 Dec 30, 2022
ZRoot is a library that makes it easy to use root on Android, such as calling system service with root privilege.

ZRoot is a library that makes it easy to use root on Android, such as calling system service with root privilege. Usage See sample or user guide

null 2 Nov 26, 2021
Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928, a `writeToParcel`/`createFromParcel` serialization mismatch in `OutputConfiguration`

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928, a `writeToParcel`/`createFromParcel` serialization mismatch in `OutputConfiguration`

null 52 Dec 30, 2022
This app will show grid overlay over whole system which helps you to verify your excellent app design.

GridWichterle for Android This app will show grid overlay over whole system which helps you to verify your excellent app design. Download: What is the

Inmite s.r.o. 408 Dec 29, 2022
The Spigot plugin counterpart of the overly complex SSN.gg authentication system

Atreus The Spigot plugin counterpart of the overly complex SSN.gg authentication system. Building Make sure you have both Maven and JDK installed (ver

servidor sem nome 3 Dec 16, 2022
BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

null 4.3k Jan 2, 2023
Simple API to perform AES encryption on Android. This is the Android counterpart to the AESCrypt library Ruby and Obj-C (with the same weak security defaults :( ) created by Gurpartap Singh. https://github.com/Gurpartap/aescrypt

AESCrypt-Android Simple API to perform AES encryption on Android with no dependancies. This is the Android counterpart to the AESCrypt library Ruby an

Scott Alexander-Bown 636 Dec 18, 2022
PermissionX is an extension Android library that makes Android runtime permission request extremely easy

PermissionX is an extension Android library that makes Android runtime permission request extremely easy. You can use it for basic pe

Lin Guo 2.9k Dec 28, 2022
Signal Protocol library for Java/Android

Overview A ratcheting forward secrecy protocol that works in synchronous and asynchronous messaging environments. PreKeys This protocol uses a concept

Signal 1.8k Dec 24, 2022
Grab’n Run, a simple and effective Java Library for Android projects to secure dynamic code loading.

Grab’n Run, a simple and effective Java Library for Android projects to secure dynamic code loading.

Luca Falsina 418 Dec 29, 2022
A collection of android security related resources

android-security-awesome A collection of android security related resources. Tools Academic/Research/Publications/Books Exploits/Vulnerabilities/Bugs

Ashish Bhatia 6.6k Jan 5, 2023
a version of the official Android openssl setup to build standalone for use in app

OpenSSL on the Android platform. --- The code in this directory is based on $OPENSSL_VERSION in the file openssl.version. See patches/README for more

Guardian Project 371 Dec 8, 2022
A port of gnupg to Android (UNMAINTAINED!)

Gnu Privacy Guard for Android A port of the whole GnuPG 2.1 suite to Android. If you are using these tools in your own apps, we'd love to hear about i

Guardian Project 282 Jan 7, 2023
OpenPGP for Android

APG (Android Privacy Guard) APG originally brought email encryption to the Android platform. In recent years the project has fallen asleep, but a lot

Thialfihar 234 Dec 30, 2022