Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 19 additions & 19 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,25 +74,25 @@

| Family | Summary | Signature Behaviors | Report |
|-------------|----------------------------------------------------|--------------------------|--------|
| DroidKungFu | Privilege escalation with C2 control. | 1. Gain unlimited access to a device.<br>2. Install/Uninstall additional apps.<br>3. Forward confidential data. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-droidkungfu) |
| GoldDream | SMS/call log exfiltration with remote C2 commands. | 1. Monitor SMS messages and phone calls.<br>2. Upload SMS messages and phone calls to remote servers. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-golddream) |
| SpyNote | Credential theft and device surveillance via RAT. | 1. Take screenshots.<br>2. Simulate user gestures.<br>3. Log user input.<br>4. Communicate with C2 servers. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-spynote) |
| DawDropper | Dropper that installs banking trojans for financial theft. | 1. Download APKs from remote servers.<br>2. Install additional APKs. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-dawdropper) |
| SLocker | Android ransomware locking/encrypting devices. | 1. Lock the device with an overlay screen. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-slocker) |
| PhantomCard | NFC relay–based financial fraud. | 1. Communicate with C2 servers.<br>2. Read the payment data of NFC cards.<br>3. Captures PINs of NFC cards through deceptive screens. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-phantomcard) |
| ToxicPanda | Banking trojan enabling on-device fraud. | 1. Abuse Accessibility.<br>2. Remote device control.<br>3. Intercept OTP. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-toxicpanda) |
| Hydra | Banking trojan using overlay attacks. | 1. Overlay credential theft.<br>2. Accessibility abuse.<br>3. Steal OTP/cookies. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-hydra) |
| SharkBot | Banking trojan targeting financial credentials and transactions. | 1. Abuse Accessibility services.<br>2. Perform overlay attacks to steal credentials.<br>3. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-sharkbot) |
| Antidot | Banking trojan disguised as legitimate updates for financial data theft. | 1. Intercept SMS messages (OTP).<br>2. Log user input (keylogging).<br>3. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-antidot) |
| Arsink | Banking trojan focusing on credential and financial data exfiltration. | 1. Steal sensitive data from device.<br>2. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-arsink) |
| TrickMo | Banking trojan using overlay attacks and accessibility abuse for credential theft. | 1. Overlay attacks to steal banking credentials.<br>2. Intercept SMS for 2FA bypass.<br>3. Screen recording and accessibility abuse.<br>4. Dynamic payload loading via reflection. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-trickmo) |
| Anubis | Banking trojan with RAT capabilities. | 1. Overlay credential theft.<br>2. Keylogging.<br>3. Intercept SMS (OTP).<br>4. Remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-anubis) |
| GodFather | Banking trojan targeting financial credentials through overlay and accessibility abuse. | 1. Perform overlay attacks to steal credentials.<br>2. Abuse Accessibility services.<br>3. Intercept SMS messages (OTP).<br>4. Steal banking credentials and sensitive data. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-godfather) |
| TangleBot | SMS-based Android malware stealing personal and financial data. | 1. Spread through SMS phishing links.<br>2. Control device interactions and overlay screens.<br>3. Access SMS, contacts, call logs, camera, and microphone.<br>4. Steal account and financial information. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-tanglebot) |
| BRATA | Banking trojan with remote control and anti-analysis capabilities. | 1. Perform overlay attacks to steal banking credentials.<br>2. Abuse Accessibility services for device control.<br>3. Intercept SMS messages (OTP).<br>4. Execute factory reset or device wipe commands. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-brata) |
| Cerberus | Banking trojan targeting financial credentials through overlay and device control. | 1. Perform overlay attacks to steal credentials.<br>2. Abuse Accessibility services.<br>3. Log user input (keylogging).<br>4. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-cerberus) |
| SuperCardX | NFC relay malware enabling contactless payment fraud. | 1. Read NFC payment card data.<br>2. Relay NFC transactions to attacker-controlled devices.<br>3. Communicate with C2 servers.<br>4. Facilitate unauthorized contactless payments. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-supercardx) |
| NGate | NFC-based malware enabling relay attacks and payment fraud. | 1. Read NFC payment card data.<br>2. Relay NFC communications to attacker-controlled devices.<br>3. Communicate with C2 servers.<br>4. Facilitate unauthorized contactless payments. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-ngate) |
| DroidKungFu | Privilege escalation with C2 control. | 1. Gain unlimited access to a device.<br>2. Install/Uninstall additional apps.<br>3. Forward confidential data. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-droidkungfu) |
| GoldDream | SMS/call log exfiltration with remote C2 commands. | 1. Monitor SMS messages and phone calls.<br>2. Upload SMS messages and phone calls to remote servers. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-golddream) |
| SpyNote | Credential theft and device surveillance via RAT. | 1. Take screenshots.<br>2. Simulate user gestures.<br>3. Log user input.<br>4. Communicate with C2 servers. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-spynote) |
| DawDropper | Dropper that installs banking trojans for financial theft. | 1. Download APKs from remote servers.<br>2. Install additional APKs. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-dawdropper) |
| SLocker | Android ransomware locking/encrypting devices. | 1. Lock the device with an overlay screen. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-slocker) |
| PhantomCard | NFC relay–based financial fraud. | 1. Communicate with C2 servers.<br>2. Read the payment data of NFC cards.<br>3. Captures PINs of NFC cards through deceptive screens. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-phantomcard) |
| ToxicPanda | Banking trojan enabling on-device fraud. | 1. Abuse Accessibility.<br>2. Remote device control.<br>3. Intercept OTP. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-toxicpanda) |
| Hydra | Banking trojan using overlay attacks. | 1. Overlay credential theft.<br>2. Accessibility abuse.<br>3. Steal OTP/cookies. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-hydra) |
| SharkBot | Banking trojan targeting financial credentials and transactions. | 1. Abuse Accessibility services.<br>2. Perform overlay attacks to steal credentials.<br>3. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-sharkbot) |
| Antidot | Banking trojan disguised as legitimate updates for financial data theft. | 1. Intercept SMS messages (OTP).<br>2. Log user input (keylogging).<br>3. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-antidot) |
| Arsink | Banking trojan focusing on credential and financial data exfiltration. | 1. Steal sensitive data from device.<br>2. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-arsink) |
| TrickMo | Banking trojan using overlay attacks and accessibility abuse for credential theft. | 1. Overlay attacks to steal banking credentials.<br>2. Intercept SMS for 2FA bypass.<br>3. Screen recording and accessibility abuse.<br>4. Dynamic payload loading via reflection. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-trickmo) |
| Anubis | Banking trojan with RAT capabilities. | 1. Overlay credential theft.<br>2. Keylogging.<br>3. Intercept SMS (OTP).<br>4. Remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-anubis) |
| GodFather | Banking trojan targeting financial credentials through overlay and accessibility abuse. | 1. Perform overlay attacks to steal credentials.<br>2. Abuse Accessibility services.<br>3. Intercept SMS messages (OTP).<br>4. Steal banking credentials and sensitive data. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-godfather) |
| TangleBot | SMS-based Android malware stealing personal and financial data. | 1. Spread through SMS phishing links.<br>2. Control device interactions and overlay screens.<br>3. Access SMS, contacts, call logs, camera, and microphone.<br>4. Steal account and financial information. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-tanglebot) |
| BRATA | Banking trojan with remote control and anti-analysis capabilities. | 1. Perform overlay attacks to steal banking credentials.<br>2. Abuse Accessibility services for device control.<br>3. Intercept SMS messages (OTP).<br>4. Execute factory reset or device wipe commands. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-brata) |
| Cerberus | Banking trojan targeting financial credentials through overlay and device control. | 1. Perform overlay attacks to steal credentials.<br>2. Abuse Accessibility services.<br>3. Log user input (keylogging).<br>4. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-cerberus) |
| SuperCardX | NFC relay malware enabling contactless payment fraud. | 1. Read NFC payment card data.<br>2. Relay NFC transactions to attacker-controlled devices.<br>3. Communicate with C2 servers.<br>4. Facilitate unauthorized contactless payments. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-supercardx) |
| NGate | NFC-based malware enabling relay attacks and payment fraud. | 1. Read NFC payment card data.<br>2. Relay NFC communications to attacker-controlled devices.<br>3. Communicate with C2 servers.<br>4. Facilitate unauthorized contactless payments. | [View](https://quark-engine.readthedocs.io/en/latest/malware_report.html#new-quark-rules-for-ngate) |

## Quick Start

Expand Down
22 changes: 11 additions & 11 deletions docs/source/malware_report.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1941,7 +1941,7 @@ The table below lists the APKs we tested.
+-------+------------------------------------------------------------------+


New Quark Rules For anubis
New Quark Rules For Anubis
==========================

New Quark rule (#00273) is now available. This rule targets `anubis <https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis>`__. Anubis is a sophisticated Android banking trojan that emerged around 2017, targeting financial institutions worldwide. It features overlay attacks to steal banking credentials, keylogging, screen recording, SMS interception, and ransomware capabilities. The malware is distributed through malicious apps on Google Play and phishing campaigns.
Expand Down Expand Up @@ -2072,7 +2072,7 @@ The table below lists the APKs we tested.
| 13 | F57308A3D0A09D0DA95D9055EC76E3DCED8292B47FCD41FEF237EBF7C1AD5F03 |
+-------+------------------------------------------------------------------+

New Quark Rules For godfather
New Quark Rules For GodFather
=============================

New Quark rule (#00274) is now available. This rule targets `godfather <https://malpedia.caad.fkie.fraunhofer.de/details/apk.godfather>`__. Check `here <https://github.com/quark-engine/quark-rules>`__ for the rule details.
Expand Down Expand Up @@ -2241,7 +2241,7 @@ The table below lists the APKs we tested.
+-------+------------------------------------------------------------------+


New Quark Rules For tanglebot
New Quark Rules For TangleBot
=============================

New Quark rule (#00275) is now available. This rule targets `TangleBot <https://attack.mitre.org/software/S1069>`__. Check `here <https://github.com/quark-engine/quark-rules>`__ for the rule details.
Expand Down Expand Up @@ -2383,8 +2383,8 @@ The table below lists the APKs we tested.
+-------+------------------------------------------------------------------+


Brata Malware Family Analysis Report
====================================
New Quark Rules For BRATA
=========================

Quark's existing rule set already detects the `brata <https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata>`__ malware family — no new rule was required. Check `here <https://github.com/quark-engine/quark-rules>`__ for the rule set.

Expand Down Expand Up @@ -2512,8 +2512,8 @@ The table below lists the APKs we tested.
+-------+------------------------------------------------------------------+


Cerberus Malware Family Analysis Report
=======================================
New Quark Rules For Cerberus
============================

This report analyses `Cerberus <https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus>`__ malware family using Quark's rule classification. A new rule (#00276) was generated from this family's samples and added to Quark's rule pool, but is not directly demonstrated below. Check `here <https://github.com/quark-engine/quark-rules>`__ for the rule details.

Expand Down Expand Up @@ -2618,8 +2618,8 @@ The table below lists the APKs we tested.
| 10 | 0B018C290DBB5AA2AF3F324F2A83C6654D5A47E4026413A6A082623BF2E35787 |
+-------+------------------------------------------------------------------+

SuperCardX Malware Family Analysis Report
=========================================
New Quark Rules For SuperCardX
==============================

This report analyses the `SuperCardX <https://malpedia.caad.fkie.fraunhofer.de/details/apk.supercardx>`__ malware family using Quark's existing rule pool — no new rule was added for this family. SuperCardX is an Android NFC banking trojan that collects sensitive device information including GPS location, ANDROID_ID, phone details, and clipboard contents while employing multiple evasion techniques such as emulator detection, obfuscation, and reflection. It downloads additional modules at runtime, sends SMS messages, and maintains network connectivity through HTTPS connections. The malware requests dangerous permissions and can manipulate files, processes, and WiFi configurations on infected devices. Check `here <https://github.com/quark-engine/quark-rules>`__ for the rule pool details.

Expand Down Expand Up @@ -2695,8 +2695,8 @@ The table below lists the APKs we tested.
| 7 | BA622A4F0D30C433A1D36DDFF294759582067D5EAE438937DEF75987FAC67B33 |
+-------+------------------------------------------------------------------+

NGate Malware Family Analysis Report
====================================
New Quark Rules For NGate
=========================

A new Quark rule (#00277) was generated to detect NFC reader-mode preparation and added to Quark's rule pool. NGate is an Android NFC banking trojan first documented by ESET in 2024, targeting Slovak banking customers. It is documented to weaponize the open-source NFCGate research toolkit to relay contactless payment card data from the victim's phone to an attacker-controlled device, enabling unauthorized point-of-sale and ATM transactions. Check `here <https://github.com/quark-engine/quark-rules>`__ for the rule pool details.

Expand Down
Loading