Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
154 changes: 154 additions & 0 deletions docs/source/malware_report.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1616,3 +1616,157 @@ The table below lists the APKs we tested.
+-------+------------------------------------------------------------------+
| 30 | FE4B2B288565CC1A85B7DD23398CC8AB850B0B0C73D46EC9E7C308AF86A96D60 |
+-------+------------------------------------------------------------------+


New Quark Rules For Arsink
==========================

New Quark rule (#00271) is now available. This rule targets `Arsink <https://malpedia.caad.fkie.fraunhofer.de/details/apk.arsink>`__. The Arsink malware family is a type of Android malware that primarily targets users by leveraging various malicious behaviors, including sending SMS messages without user consent and accessing sensitive device information. It is often disguised as a legitimate application to evade detection and gain unauthorized access to user data. Check `here <https://github.com/quark-engine/quark-rules>`__ for the rule details.

With these rules, Quark is now able to identify the Arsink malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here <list-of-tested-apks-arsink>` for the APKs we tested.

Below is a summary report of an Arsink sample (``06F7DFDFBFF03719082750FB11CA1F1FE720DAA57F11C7D30D3B3277BFECEB13``). The report shows that Quark identified the sample as **high-risk**, with a list of behaviors as evidence.

.. image:: https://i.postimg.cc/8zm82TtM/jie-tu-2026-04-16-wan-shang8-56-42.png

Identified Well-Known Threats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from Arsink, as shown below.

**1. Accessing Device Information**

.. image:: https://i.ibb.co/8nXprq12/accessing-device-information.png
:alt: Accessing Device Information

The diagram indicates that the ``LSay/hello/To/Arthur/FileUtil;convertUriToFilePath`` function queries device data using a ContentResolver and URI, and calls ``LSay/hello/To/Arthur/FileUtil;getDataColumn`` to access sensitive information from content providers.

Behaviors detected by Quark:

* Query data from URI (SMS, CALLLOGS) (#00011)
* Read sensitive data(SMS, CALLLOG, etc) (#00077)
* Query device data with ContentResolver (#00212)
* Query device data with ContentResolver and a URI parsed from a string (#00222)
* Accessing sensitive data from content provider (#00271)

**2. Intercepting Sms Messages**

.. image:: https://i.ibb.co/HDv1R0GQ/intercepting-sms-messages.png
:alt: Intercepting Sms Messages

The behavior map reveals that the ``LSay/hello/To/Arthur/FileUtil;convertUriToFilePath`` function queries SMS and call log data from URIs, and invokes ``LSay/hello/To/Arthur/FileUtil;getDataColumn`` to read this sensitive data, enabling SMS interception.

Behaviors detected by Quark:

* Query data from URI (SMS, CALLLOGS) (#00011)
* Read sensitive data(SMS, CALLLOG, etc) (#00077)

**3. Manipulating System Settings**

.. image:: https://i.ibb.co/QFYR9Cqy/manipulating-system-settings.png
:alt: Manipulating System Settings

The diagram shows that the ``LSay/hello/To/Arthur/SketchLogger$1;run`` function executes specified Linux commands, which can be used to manipulate system settings.

Behaviors detected by Quark:

* Executes the specified string Linux command (#00068)

.. _list-of-tested-apks-arsink:

List of Tested APKs
~~~~~~~~~~~~~~~~~~~

The table below lists the APKs we tested.

+-------+------------------------------------------------------------------+
| index | sha256 |
+=======+==================================================================+
| 1 | 06F7DFDFBFF03719082750FB11CA1F1FE720DAA57F11C7D30D3B3277BFECEB13 |
+-------+------------------------------------------------------------------+
| 2 | 0BCDF887E6BD21EA4073385A8B2E59025768BE3131A92E9940886E05C748E1CC |
+-------+------------------------------------------------------------------+
| 3 | 16CB7952AB3CE88EC30B57E1C5F16A8871457E9985D43675AAE47D8DDB5044C8 |
+-------+------------------------------------------------------------------+
| 4 | 1FC3BA39F0CE8109BCB4F42441250DF5E9C601744B738A2E7C40D612CD29FEC3 |
+-------+------------------------------------------------------------------+
| 5 | 2063030918DF932A61673559F99E51CC47F3436337F94AFB2E8ACAAFA84289FF |
+-------+------------------------------------------------------------------+
| 6 | 2C0BCE17BC9BBFBEA95E5B75E6294FD1D5205B915B24729D1F2377E2A6F2B578 |
+-------+------------------------------------------------------------------+
| 7 | 35F06F91902FAF5A4BC27C8B73F74B74AEA6A6BE2215AE1E990EE504CEB29E4F |
+-------+------------------------------------------------------------------+
| 8 | 3AE188387DD8B01CD5595B9AD937DAE48D90C4D17FA8BA7F85D3A1F34D1EF3C8 |
+-------+------------------------------------------------------------------+
| 9 | 3E6EDEBC2DA9A4A80507EEB7ABF529C9C3A70201927F1AE864F9F257CA64BC2E |
+-------+------------------------------------------------------------------+
| 10 | 4070678717CF011417C9E4307C9ECB4D481563DB4758FFAADA5FA6870E06A4AC |
+-------+------------------------------------------------------------------+
| 11 | 48F19EEF9D420137DEE9974E3CC6AF3DED9532BD631ACE36F7D15EEBEC6A2DCE |
+-------+------------------------------------------------------------------+
| 12 | 4CF809B14083143E921BD8FDB7E7725E20E303653D9A3E6C848D9596A33F6C8E |
+-------+------------------------------------------------------------------+
| 13 | 501E35F1600CE0548226C9957EED76F5F04CB2E1DBFD4F3FB8652009B38E8C9F |
+-------+------------------------------------------------------------------+
| 14 | 5948A349B534156F5734B3A99E761EC6D84E527AB729B1F28242049B3AFAB2E6 |
+-------+------------------------------------------------------------------+
| 15 | 595355DAAA6AAD284090210CD55C4A2E276C5263C83D2B202E1486D347AF3701 |
+-------+------------------------------------------------------------------+
| 16 | 5E48BBE1C62DA18D4C0F2CCA0F8855219C5A05F81C5FB64C1B4A0A6871FA8736 |
+-------+------------------------------------------------------------------+
| 17 | 603D89C5A2883AB2ED68E12517212BD0B74760F1EF755A61D059440AEBA045FD |
+-------+------------------------------------------------------------------+
| 18 | 68F800FBED83116AC9EFB2524326FA5D710A911B506762D580A34C19932A21E8 |
+-------+------------------------------------------------------------------+
| 19 | 6D06806CCEE64D3BAA5B9DA63019C3AC7A23DFE210747FBDBC048A84196325C5 |
+-------+------------------------------------------------------------------+
| 20 | 744346BD46F139837BF2825206FA95D48DDF6DC078E341492B34B35743A0B297 |
+-------+------------------------------------------------------------------+
| 21 | 76B8569EFF05CE94BA580E10FB1161AF6537D931F8C9D07EDBA20E93A4A34BB6 |
+-------+------------------------------------------------------------------+
| 22 | 7DDD3C4808372C91C916C4B77A07A09F61753BC26A592FF7DA3BD71D12802A0C |
+-------+------------------------------------------------------------------+
| 23 | 8159C79C8A9B54AD363516F9B53C7CADA3EA4AFA0B2D0F6E7DC66FE147D03A93 |
+-------+------------------------------------------------------------------+
| 24 | 8314ECE95207FF28466D4FC8BF6CEF22CC6E28FEF47E9BEDE381B502F038B552 |
+-------+------------------------------------------------------------------+
| 25 | 89D492B7539B5552445764907A96B517D08D448F8FF0E3E7A93958DF82D3DF58 |
+-------+------------------------------------------------------------------+
| 26 | 8E9C6AA5EA90DDD2C3199128E41DE82C4D406B3D2D32BA34CF9D6B1F9C5A8F26 |
+-------+------------------------------------------------------------------+
| 27 | 917CDE4F5DFDE864C07A412E586E218F65826B71810083BFFB086C3518DEC645 |
+-------+------------------------------------------------------------------+
| 28 | 9A778FBB730EE653F45B36700A369C81792509F855C2529ACA73DE1443C62DE8 |
+-------+------------------------------------------------------------------+
| 29 | 9FB8A940492EE6095A24B4A34ECFA252A515FB681F16636A8F00B1E0E7D47FE2 |
+-------+------------------------------------------------------------------+
| 30 | A3F487BBE5AC9A9EB3556E9612C7A16177EA2767783E9401A6643765B1EE39B3 |
+-------+------------------------------------------------------------------+
| 31 | BA71C7E507E1B0D8202447F9F86F585286B4AB01B58C7E32BB4F495381EF5004 |
+-------+------------------------------------------------------------------+
| 32 | BBB41EC382738C0EE5B94D023F023209928CA98893F146A8CFDAA608AFE7B4E6 |
+-------+------------------------------------------------------------------+
| 33 | C002E68F52DE1B2B62013A82828245D8A956A075B87E220C3F6E1B2BFB220D19 |
+-------+------------------------------------------------------------------+
| 34 | C1183C6868BF4E006BA412A538A3A07DADBAEDED2BE6F148765DECF69DC284EC |
+-------+------------------------------------------------------------------+
| 35 | C4F51CCDE0525887B61FB919EEFC5830B24EC35FDCB2AF2AA3893E5F56957C40 |
+-------+------------------------------------------------------------------+
| 36 | CB93D5C96AE3E0B358AC2A0C57008A5655A049AC3BC5543F814AF5157E2F27DE |
+-------+------------------------------------------------------------------+
| 37 | D41329E084AD90A62C37E906F18E1089002F4D5E7C5CE123F7753DA90E410372 |
+-------+------------------------------------------------------------------+
| 38 | D41A27EE5D4B12F6C94E73CC453C69B20FF92CE29823B0FF5BCC50C0D61F826E |
+-------+------------------------------------------------------------------+
| 39 | D5B6C048A278C06E2625C47A3A57F5CE2E4D6D73D830051A84DE1768E0445882 |
+-------+------------------------------------------------------------------+
| 40 | D7362FF697A5CAE24B4B084D0436CCDE7060524A24C34F37F185F64597930514 |
+-------+------------------------------------------------------------------+
| 41 | DB5B22F8D3400BAFA449B6DB01F44896DD8040733B03D11DBC187146E58DFBCD |
+-------+------------------------------------------------------------------+
| 42 | EB76F62F4BA0718AFD9B1BCCCD6389A6043A4394A6769730F75F8E1F8B3752AF |
+-------+------------------------------------------------------------------+
| 43 | F9B00165598A0600D53064B2871477FEC3BD62549A69328C4BDD39467AF2D48D |
+-------+------------------------------------------------------------------+
| 44 | FD263056ADFE6CB5596A11612440FA5D851B3B9BED34A481139C2206A6C570B1 |
+-------+------------------------------------------------------------------+
40 changes: 40 additions & 0 deletions quark/forensic/forensic.py
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,46 @@ def get_android_api(self):

return self.apk.android_apis

def get_certificate(self):
"""
Return the signing certificate(s) of the APK.

:return: a list of dicts, each describing one signing certificate
(subject, issuer, serial number, sha1/sha256 fingerprint,
validity period and signature algorithm). Returns an empty list
when the sample is unsigned or carries no APK-level certificate
(e.g. a bare DEX input or the rizin backend).
"""

androguard_apk = getattr(self.apk, "apk", None)

if androguard_apk is None or not hasattr(
androguard_apk, "get_certificates"
):
return []

if not androguard_apk.is_signed():
return []

certificates = []
for cert in androguard_apk.get_certificates():
validity = cert["tbs_certificate"]["validity"]

certificates.append(
{
"subject": cert.subject.human_friendly,
"issuer": cert.issuer.human_friendly,
"serial_number": cert.serial_number,
"sha1": cert.sha1_fingerprint,
"sha256": cert.sha256_fingerprint,
"not_before": str(validity["not_before"].native),
"not_after": str(validity["not_after"].native),
"signature_algorithm": cert.signature_algo,
}
)

return certificates


if __name__ == "__main__":
pass
18 changes: 18 additions & 0 deletions tests/forensic/test_forensic.py
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,21 @@ def test_get_android_api(self, forensic):
result = [str(x) for x in forensic.get_android_api()]
assert any("getCellLocation" in meth for meth in result)
assert any("sendTextMessage" in meth for meth in result)

def test_get_certificate(self, forensic):
certificates = forensic.get_certificate()

assert len(certificates) == 1

cert = certificates[0]
assert cert["subject"] == (
"Common Name: Android Debug, Organization: Android, Country: US"
)
assert cert["issuer"] == (
"Common Name: Android Debug, Organization: Android, Country: US"
)
assert cert["sha256"] == (
"E2 19 39 06 1B 8B 26 C8 08 B9 4C 47 4F ED C3 80 "
"52 B6 3E 66 07 AF 9C 7C 37 20 38 74 AF E5 E5 70"
)
assert cert["signature_algorithm"] == "rsassa_pkcs1v15"
Loading