Skip to main content

An Obfuscation-Neglect Android Malware Scoring System

Project description

Black Hat Arsenal HITB rootcon defcon
build status codecov license python version PyPi Download
Twitter

Quark Script - Dig Vulnerabilities in the BlackBox

Innovative & Interactive

  • The goal of Quark Script aims to provide an innovative way for mobile security researchers to analyze or pentest the targets.
  • Based on Quark, we integrate decent tools as Quark Script APIs and make them exchange valuable intelligence to each other. This enables security researchers to interact with staged results and perform creative analysis with Quark Script.

Dynamic & Static Analysis

  • In Quark script, we integrate not only static analysis tools (e.g. Quark itself) but also dynamic analysis tools (e.g. objection).

Re-Usable & Sharable

  • Once the user creates a Quark script for specific analysis scenario. The script can be used in another targets. Also, the script can be shared to other security researchers. This enables the exchange of knowledges.

More APIs to come

  • Quark Script is now in a beta version. We'll keep releasing practical APIs and analysis scenarios.
  • See API document here.

CWE Showcases

  • CWE-020 Improper Input Validation
  • CWE-022 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-023 Relative Path Traversal
  • CWE-089 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CWE-094 Improper Control of Generation of Code ('Code Injection')
  • CWE-295 Improper Certificate Validation
  • CWE-312 Cleartext Storage of Sensitive Information
  • CWE-319 Cleartext Transmission of Sensitive Information
  • CWE-327 Use of a Broken or Risky Cryptographic Algorithm
  • CWE-328 Use of Weak Hash
  • CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • CWE-489 Active Debug Code
  • CWE-532 Insertion of Sensitive Information into Log File
  • CWE-749 Exposed Dangerous Method or Function
  • CWE-780 Use of RSA Algorithm without OAEP
  • CWE-798 Use of Hard-coded Credentials
  • CWE-921 Storage of Sensitive Data in a Mechanism without Access Control
  • CWE-926 Improper Export of Android Application Components

Quick Start

In this section, we will show how to detect CWE-798 with Quark Script.

Step 1: Environments Requirements

  • Quark requires Python 3.8 or above.

Step 2: Install Quark Engine

  • Install Quark Engine by running:
$ pip3 install -U quark-engine

Step 3: Prepare Quark Script, Detection Rule and the Sample File

  1. Get the CWE-798 Quark Script and the detection rule here.
  2. Get the sampe file (ovaa.apk) here.
  3. Put the script, detection rule, and sample file in the same directory.
  4. Edit accordingly to the file names:
SAMPLE_PATH = "ovaa.apk"
RULE_PATH = "findSecretKeySpec.json"
# Now you are ready to run the script!

Step 4: Run the script

$ python3 CWE-798.py

# You should now see the detection result in the terminal.
Found hard-coded AES key 49u5gh249gh24985ghf429gh4ch8f23f

Acknowledgments

The Honeynet Project

Honeynet.org logo

Google Summer Of Code

Quark-Engine has been participating in the GSoC under the Honeynet Project!

Stay tuned for the upcoming GSoC! Join the Honeynet Slack chat for more info.

Core Values of Quark Engine Team

  • We love battle fields. We embrace uncertainties. We challenge impossibles. We rethink everything. We change the way people think. And the most important of all, we benefit ourselves by benefit others first.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

quark-engine-23.3.1.tar.gz (81.9 kB view hashes)

Uploaded Source

Built Distribution

quark_engine-23.3.1-py3-none-any.whl (96.4 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page