<a href="https://www.blackhat.com/asia-24/arsenal/schedule/index.html#quark-script---dig-vulnerabilities-in-the-blackbox-37549">
<img alt="Black Hat Arsenal" src="https://img.shields.io/badge/Black%20Hat%20Arsenal-Asia%202024-blue">
</a>
<a href="https://www.blackhat.com/asia-21/arsenal/schedule/index.html#quark-engine-storyteller-of-android-malware-22458">
<img alt="Black Hat Arsenal" src="https://img.shields.io/badge/Black%20Hat%20Arsenal-Asia%202021-blue">
</a>
<a href="https://conference.hitb.org/hitb-lockdown002/sessions/quark-engine-an-obfuscation-neglect-android-malware-scoring-system/">
<img alt="HITB" src="https://img.shields.io/badge/HITB-Lockdown%20002-red">
</a>
<a href="https://www.youtube.com/watch?v=XK-yqHPnsvc&ab_channel=DEFCONConference">
<img alt="defcon" src="https://img.shields.io/badge/DEFCON%2028-BTV-blue">
</a>
<a href="https://github.com/quark-engine/quark-engine/actions/workflows/pytest.yml">
<img alt="build status" src="https://github.com/quark-engine/quark-engine/actions/workflows/pytest.yml/badge.svg">
</a>
<a href="https://codecov.io/gh/quark-engine/quark-engine">
<img alt="codecov" src="https://codecov.io/gh/ev-flow/quark-engine/graph/badge.svg">
</a>
<a href="https://github.com/18z/quark-rules/blob/master/LICENSE">
<img alt="license" src="https://img.shields.io/badge/License-GPLv3-blue.svg">
</a>
<a href="https://www.python.org/downloads/release/python-31015/">
<img alt="python version" src="https://img.shields.io/badge/python-3.10-blue.svg">
</a>
<a href="https://pypi.org/project/quark-engine/">
<img alt="PyPi Download" src="https://pepy.tech/badge/quark-engine">
</a>
<a href="https://twitter.com/quarkengine">
<img alt="Twitter" src="https://img.shields.io/twitter/follow/quarkengine?style=social">
</a>
<img src="https://i.imgur.com/8GwkWei.png"/>
| Family | Summary | Signature Behaviors | Report |
|---|---|---|---|
| DroidKungFu | Privilege escalation with C2 control. | 1. Gain unlimited access to a device. |
Install/Uninstall additional apps.
Forward confidential data. | View | | GoldDream | SMS/call log exfiltration with remote C2 commands. | 1. Monitor SMS messages and phone calls.
Upload SMS messages and phone calls to remote servers. | View | | SpyNote | Credential theft and device surveillance via RAT. | 1. Take screenshots.
Simulate user gestures.
Log user input.
Communicate with C2 servers. | View | | DawDropper | Dropper that installs banking trojans for financial theft. | 1. Download APKs from remote servers.
Install additional APKs. | View | | SLocker | Android ransomware locking/encrypting devices. | 1. Lock the device with an overlay screen. | View | | PhantomCard | NFC relay–based financial fraud. | 1. Communicate with C2 servers.
Read the payment data of NFC cards.
Captures PINs of NFC cards through deceptive screens. | View | | ToxicPanda | Banking trojan enabling on-device fraud. | 1. Abuse Accessibility.
Remote device control.
Intercept OTP. | View | | Hydra | Banking trojan using overlay attacks. | 1. Overlay credential theft.
Accessibility abuse.
Steal OTP/cookies. | View | | SharkBot | Banking trojan targeting financial credentials and transactions. | 1. Abuse Accessibility services.
Perform overlay attacks to steal credentials.
Intercept SMS messages (OTP). | View | | Antidot | Banking trojan disguised as legitimate updates for financial data theft. | 1. Intercept SMS messages (OTP).
Log user input (keylogging).
Enable remote control via C2. | View | | Arsink | Banking trojan focusing on credential and financial data exfiltration. | 1. Steal sensitive data from device.
Intercept SMS messages (OTP). | View | | TrickMo | Banking trojan using overlay attacks and accessibility abuse for credential theft. | 1. Overlay attacks to steal banking credentials.
Intercept SMS for 2FA bypass.
Screen recording and accessibility abuse.
Dynamic payload loading via reflection. | View | | Anubis | Banking trojan with RAT capabilities. | 1. Overlay credential theft.
Keylogging.
Intercept SMS (OTP).
Remote control via C2. | View | | GodFather | Banking trojan targeting financial credentials through overlay and accessibility abuse. | 1. Perform overlay attacks to steal credentials.
Abuse Accessibility services.
Intercept SMS messages (OTP).
Steal banking credentials and sensitive data. | View | | TangleBot | SMS-based Android malware stealing personal and financial data. | 1. Spread through SMS phishing links.
Control device interactions and overlay screens.
Access SMS, contacts, call logs, camera, and microphone.
Steal account and financial information. | View | | BRATA | Banking trojan with remote control and anti-analysis capabilities. | 1. Perform overlay attacks to steal banking credentials.
Abuse Accessibility services for device control.
Intercept SMS messages (OTP).
Execute factory reset or device wipe commands. | View | | Cerberus | Banking trojan targeting financial credentials through overlay and device control. | 1. Perform overlay attacks to steal credentials.
Abuse Accessibility services.
Log user input (keylogging).
Enable remote control via C2. | View | | SuperCardX | NFC relay malware enabling contactless payment fraud. | 1. Read NFC payment card data.
Relay NFC transactions to attacker-controlled devices.
Communicate with C2 servers.
Facilitate unauthorized contactless payments. | View | | NGate | NFC-based malware enabling relay attacks and payment fraud. | 1. Read NFC payment card data.
Relay NFC communications to attacker-controlled devices.
Communicate with C2 servers.
Facilitate unauthorized contactless payments. | View |
Install the latest version of Quark Engine:
$ pip3 install -U quark-engine
Fetch the latest rule database:
$ freshquark
Analyze an APK with the downloaded rules and generate a summary report:
$ quark -a <apk_file> -s
Example output:
Quark-Engine has been participating in the GSoC under the Honeynet Project!
Stay tuned for the upcoming GSoC! Join the Honeynet Slack chat for more info.
$ claude mcp add quark-engine \
-- python -m otcore.mcp_server <graph>