diff --git a/docs/source/malware_report.rst b/docs/source/malware_report.rst index 9885b394d..a7723916f 100644 --- a/docs/source/malware_report.rst +++ b/docs/source/malware_report.rst @@ -1616,3 +1616,157 @@ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | 30 | FE4B2B288565CC1A85B7DD23398CC8AB850B0B0C73D46EC9E7C308AF86A96D60 | +-------+------------------------------------------------------------------+ + + +New Quark Rules For Arsink +========================== + +New Quark rule (#00271) is now available. This rule targets `Arsink `__. The Arsink malware family is a type of Android malware that primarily targets users by leveraging various malicious behaviors, including sending SMS messages without user consent and accessing sensitive device information. It is often disguised as a legitimate application to evade detection and gain unauthorized access to user data. Check `here `__ for the rule details. + +With these rules, Quark is now able to identify the Arsink malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. + +Below is a summary report of an Arsink sample (``06F7DFDFBFF03719082750FB11CA1F1FE720DAA57F11C7D30D3B3277BFECEB13``). The report shows that Quark identified the sample as **high-risk**, with a list of behaviors as evidence. + +.. image:: https://i.postimg.cc/8zm82TtM/jie-tu-2026-04-16-wan-shang8-56-42.png + +Identified Well-Known Threats +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from Arsink, as shown below. + +**1. Accessing Device Information** + +.. image:: https://i.ibb.co/8nXprq12/accessing-device-information.png + :alt: Accessing Device Information + +The diagram indicates that the ``LSay/hello/To/Arthur/FileUtil;convertUriToFilePath`` function queries device data using a ContentResolver and URI, and calls ``LSay/hello/To/Arthur/FileUtil;getDataColumn`` to access sensitive information from content providers. + +Behaviors detected by Quark: + +* Query data from URI (SMS, CALLLOGS) (#00011) +* Read sensitive data(SMS, CALLLOG, etc) (#00077) +* Query device data with ContentResolver (#00212) +* Query device data with ContentResolver and a URI parsed from a string (#00222) +* Accessing sensitive data from content provider (#00271) + +**2. Intercepting Sms Messages** + +.. image:: https://i.ibb.co/HDv1R0GQ/intercepting-sms-messages.png + :alt: Intercepting Sms Messages + +The behavior map reveals that the ``LSay/hello/To/Arthur/FileUtil;convertUriToFilePath`` function queries SMS and call log data from URIs, and invokes ``LSay/hello/To/Arthur/FileUtil;getDataColumn`` to read this sensitive data, enabling SMS interception. + +Behaviors detected by Quark: + +* Query data from URI (SMS, CALLLOGS) (#00011) +* Read sensitive data(SMS, CALLLOG, etc) (#00077) + +**3. Manipulating System Settings** + +.. image:: https://i.ibb.co/QFYR9Cqy/manipulating-system-settings.png + :alt: Manipulating System Settings + +The diagram shows that the ``LSay/hello/To/Arthur/SketchLogger$1;run`` function executes specified Linux commands, which can be used to manipulate system settings. + +Behaviors detected by Quark: + +* Executes the specified string Linux command (#00068) + +.. _list-of-tested-apks-arsink: + +List of Tested APKs +~~~~~~~~~~~~~~~~~~~ + +The table below lists the APKs we tested. + ++-------+------------------------------------------------------------------+ +| index | sha256 | ++=======+==================================================================+ +| 1 | 06F7DFDFBFF03719082750FB11CA1F1FE720DAA57F11C7D30D3B3277BFECEB13 | ++-------+------------------------------------------------------------------+ +| 2 | 0BCDF887E6BD21EA4073385A8B2E59025768BE3131A92E9940886E05C748E1CC | ++-------+------------------------------------------------------------------+ +| 3 | 16CB7952AB3CE88EC30B57E1C5F16A8871457E9985D43675AAE47D8DDB5044C8 | ++-------+------------------------------------------------------------------+ +| 4 | 1FC3BA39F0CE8109BCB4F42441250DF5E9C601744B738A2E7C40D612CD29FEC3 | ++-------+------------------------------------------------------------------+ +| 5 | 2063030918DF932A61673559F99E51CC47F3436337F94AFB2E8ACAAFA84289FF | ++-------+------------------------------------------------------------------+ +| 6 | 2C0BCE17BC9BBFBEA95E5B75E6294FD1D5205B915B24729D1F2377E2A6F2B578 | ++-------+------------------------------------------------------------------+ +| 7 | 35F06F91902FAF5A4BC27C8B73F74B74AEA6A6BE2215AE1E990EE504CEB29E4F | ++-------+------------------------------------------------------------------+ +| 8 | 3AE188387DD8B01CD5595B9AD937DAE48D90C4D17FA8BA7F85D3A1F34D1EF3C8 | ++-------+------------------------------------------------------------------+ +| 9 | 3E6EDEBC2DA9A4A80507EEB7ABF529C9C3A70201927F1AE864F9F257CA64BC2E | ++-------+------------------------------------------------------------------+ +| 10 | 4070678717CF011417C9E4307C9ECB4D481563DB4758FFAADA5FA6870E06A4AC | ++-------+------------------------------------------------------------------+ +| 11 | 48F19EEF9D420137DEE9974E3CC6AF3DED9532BD631ACE36F7D15EEBEC6A2DCE | ++-------+------------------------------------------------------------------+ +| 12 | 4CF809B14083143E921BD8FDB7E7725E20E303653D9A3E6C848D9596A33F6C8E | ++-------+------------------------------------------------------------------+ +| 13 | 501E35F1600CE0548226C9957EED76F5F04CB2E1DBFD4F3FB8652009B38E8C9F | ++-------+------------------------------------------------------------------+ +| 14 | 5948A349B534156F5734B3A99E761EC6D84E527AB729B1F28242049B3AFAB2E6 | ++-------+------------------------------------------------------------------+ +| 15 | 595355DAAA6AAD284090210CD55C4A2E276C5263C83D2B202E1486D347AF3701 | ++-------+------------------------------------------------------------------+ +| 16 | 5E48BBE1C62DA18D4C0F2CCA0F8855219C5A05F81C5FB64C1B4A0A6871FA8736 | ++-------+------------------------------------------------------------------+ +| 17 | 603D89C5A2883AB2ED68E12517212BD0B74760F1EF755A61D059440AEBA045FD | ++-------+------------------------------------------------------------------+ +| 18 | 68F800FBED83116AC9EFB2524326FA5D710A911B506762D580A34C19932A21E8 | ++-------+------------------------------------------------------------------+ +| 19 | 6D06806CCEE64D3BAA5B9DA63019C3AC7A23DFE210747FBDBC048A84196325C5 | ++-------+------------------------------------------------------------------+ +| 20 | 744346BD46F139837BF2825206FA95D48DDF6DC078E341492B34B35743A0B297 | ++-------+------------------------------------------------------------------+ +| 21 | 76B8569EFF05CE94BA580E10FB1161AF6537D931F8C9D07EDBA20E93A4A34BB6 | ++-------+------------------------------------------------------------------+ +| 22 | 7DDD3C4808372C91C916C4B77A07A09F61753BC26A592FF7DA3BD71D12802A0C | ++-------+------------------------------------------------------------------+ +| 23 | 8159C79C8A9B54AD363516F9B53C7CADA3EA4AFA0B2D0F6E7DC66FE147D03A93 | ++-------+------------------------------------------------------------------+ +| 24 | 8314ECE95207FF28466D4FC8BF6CEF22CC6E28FEF47E9BEDE381B502F038B552 | ++-------+------------------------------------------------------------------+ +| 25 | 89D492B7539B5552445764907A96B517D08D448F8FF0E3E7A93958DF82D3DF58 | ++-------+------------------------------------------------------------------+ +| 26 | 8E9C6AA5EA90DDD2C3199128E41DE82C4D406B3D2D32BA34CF9D6B1F9C5A8F26 | ++-------+------------------------------------------------------------------+ +| 27 | 917CDE4F5DFDE864C07A412E586E218F65826B71810083BFFB086C3518DEC645 | ++-------+------------------------------------------------------------------+ +| 28 | 9A778FBB730EE653F45B36700A369C81792509F855C2529ACA73DE1443C62DE8 | ++-------+------------------------------------------------------------------+ +| 29 | 9FB8A940492EE6095A24B4A34ECFA252A515FB681F16636A8F00B1E0E7D47FE2 | ++-------+------------------------------------------------------------------+ +| 30 | A3F487BBE5AC9A9EB3556E9612C7A16177EA2767783E9401A6643765B1EE39B3 | ++-------+------------------------------------------------------------------+ +| 31 | BA71C7E507E1B0D8202447F9F86F585286B4AB01B58C7E32BB4F495381EF5004 | ++-------+------------------------------------------------------------------+ +| 32 | BBB41EC382738C0EE5B94D023F023209928CA98893F146A8CFDAA608AFE7B4E6 | ++-------+------------------------------------------------------------------+ +| 33 | C002E68F52DE1B2B62013A82828245D8A956A075B87E220C3F6E1B2BFB220D19 | ++-------+------------------------------------------------------------------+ +| 34 | C1183C6868BF4E006BA412A538A3A07DADBAEDED2BE6F148765DECF69DC284EC | ++-------+------------------------------------------------------------------+ +| 35 | C4F51CCDE0525887B61FB919EEFC5830B24EC35FDCB2AF2AA3893E5F56957C40 | ++-------+------------------------------------------------------------------+ +| 36 | CB93D5C96AE3E0B358AC2A0C57008A5655A049AC3BC5543F814AF5157E2F27DE | ++-------+------------------------------------------------------------------+ +| 37 | D41329E084AD90A62C37E906F18E1089002F4D5E7C5CE123F7753DA90E410372 | ++-------+------------------------------------------------------------------+ +| 38 | D41A27EE5D4B12F6C94E73CC453C69B20FF92CE29823B0FF5BCC50C0D61F826E | ++-------+------------------------------------------------------------------+ +| 39 | D5B6C048A278C06E2625C47A3A57F5CE2E4D6D73D830051A84DE1768E0445882 | ++-------+------------------------------------------------------------------+ +| 40 | D7362FF697A5CAE24B4B084D0436CCDE7060524A24C34F37F185F64597930514 | ++-------+------------------------------------------------------------------+ +| 41 | DB5B22F8D3400BAFA449B6DB01F44896DD8040733B03D11DBC187146E58DFBCD | ++-------+------------------------------------------------------------------+ +| 42 | EB76F62F4BA0718AFD9B1BCCCD6389A6043A4394A6769730F75F8E1F8B3752AF | ++-------+------------------------------------------------------------------+ +| 43 | F9B00165598A0600D53064B2871477FEC3BD62549A69328C4BDD39467AF2D48D | ++-------+------------------------------------------------------------------+ +| 44 | FD263056ADFE6CB5596A11612440FA5D851B3B9BED34A481139C2206A6C570B1 | ++-------+------------------------------------------------------------------+ diff --git a/quark/forensic/forensic.py b/quark/forensic/forensic.py index 7cc811f25..284b06251 100644 --- a/quark/forensic/forensic.py +++ b/quark/forensic/forensic.py @@ -98,6 +98,46 @@ def get_android_api(self): return self.apk.android_apis + def get_certificate(self): + """ + Return the signing certificate(s) of the APK. + + :return: a list of dicts, each describing one signing certificate + (subject, issuer, serial number, sha1/sha256 fingerprint, + validity period and signature algorithm). Returns an empty list + when the sample is unsigned or carries no APK-level certificate + (e.g. a bare DEX input or the rizin backend). + """ + + androguard_apk = getattr(self.apk, "apk", None) + + if androguard_apk is None or not hasattr( + androguard_apk, "get_certificates" + ): + return [] + + if not androguard_apk.is_signed(): + return [] + + certificates = [] + for cert in androguard_apk.get_certificates(): + validity = cert["tbs_certificate"]["validity"] + + certificates.append( + { + "subject": cert.subject.human_friendly, + "issuer": cert.issuer.human_friendly, + "serial_number": cert.serial_number, + "sha1": cert.sha1_fingerprint, + "sha256": cert.sha256_fingerprint, + "not_before": str(validity["not_before"].native), + "not_after": str(validity["not_after"].native), + "signature_algorithm": cert.signature_algo, + } + ) + + return certificates + if __name__ == "__main__": pass diff --git a/tests/forensic/test_forensic.py b/tests/forensic/test_forensic.py index c39aedeb1..a1d0e00a1 100644 --- a/tests/forensic/test_forensic.py +++ b/tests/forensic/test_forensic.py @@ -56,3 +56,21 @@ def test_get_android_api(self, forensic): result = [str(x) for x in forensic.get_android_api()] assert any("getCellLocation" in meth for meth in result) assert any("sendTextMessage" in meth for meth in result) + + def test_get_certificate(self, forensic): + certificates = forensic.get_certificate() + + assert len(certificates) == 1 + + cert = certificates[0] + assert cert["subject"] == ( + "Common Name: Android Debug, Organization: Android, Country: US" + ) + assert cert["issuer"] == ( + "Common Name: Android Debug, Organization: Android, Country: US" + ) + assert cert["sha256"] == ( + "E2 19 39 06 1B 8B 26 C8 08 B9 4C 47 4F ED C3 80 " + "52 B6 3E 66 07 AF 9C 7C 37 20 38 74 AF E5 E5 70" + ) + assert cert["signature_algorithm"] == "rsassa_pkcs1v15"