def analysis(self, apk, rule):
"""
The main function of Quark-Engine analysis, the analysis is based on the provided APK file.
:param apk: the APK file
:param rule: the rule to be checked, it could be a directory or a single json rule
:return: None
"""
self.quark = Quark(apk)
if os.path.isdir(rule):
rules_list = os.listdir(rule)
for single_rule in rules_list:
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
self.quark.run(rule_checker)
# Generate json report
self.quark.generate_json_report(rule_checker)
elif os.path.isfile(rule):
if rule.endswith("json"):
rule = QuarkRule(rule)
# Run checker
self.quark.run(rule)
# Generate json report
self.quark.generate_json_report(rule)
def analysis(self, apk, rule):
self.quark = Quark(apk)
if os.path.isdir(rule):
rules_list = os.listdir(rule)
for single_rule in rules_list:
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
self.quark.run(rule_checker)
# Generate json report
self.quark.generate_json_report(rule_checker)
elif os.path.isfile(rule):
if rule.endswith("json"):
rule = QuarkRule(rule)
# Run checker
self.quark.run(rule)
# Generate json report
self.quark.generate_json_report(rule)
def rule_obj(scope="function"):
rule_json = """
{
"crime": "Send Location via SMS",
"x1_permission": [
"android.permission.SEND_SMS",
"android.permission.ACCESS_COARSE_LOCATION",
"android.permission.ACCESS_FINE_LOCATION"
],
"x2n3n4_comb": [
{
"class": "Landroid/telephony/TelephonyManager",
"method": "getCellLocation"
},
{
"class": "Landroid/telephony/SmsManager",
"method": "sendTextMessage"
}
],
"yscore": 4
}
"""
with open("sendLocation.json", "w") as f:
f.write(rule_json)
print("setup() begin")
rule_obj = QuarkRule("sendLocation.json")
yield rule_obj
del rule_obj
os.remove("sendLocation.json")
def quark_analysis(sha256):
es.update(index=settings.ELASTICSEARCH_TASKS_INDEX, id=sha256, body={'doc': {'quark_analysis': 1}},
retry_on_conflict=5)
with NamedTemporaryFile() as f:
f.write(default_storage.open(sha256).read())
f.seek(0)
data = Quark(f.name)
rules_path = 'quark-rules'
rules_list = os.listdir(rules_path)
for single_rule in tqdm(rules_list):
if single_rule.endswith('json'):
rule_path = os.path.join(rules_path, single_rule)
rule_checker = QuarkRule(rule_path)
try:
data.run(rule_checker)
data.generate_json_report(rule_checker)
except Exception:
pass
json_report = data.get_json_report()
if json_report:
es.update(index=settings.ELASTICSEARCH_TASKS_INDEX, id=sha256, body={'doc': {'quark_analysis': 2}},
retry_on_conflict=5)
es.update(index=settings.ELASTICSEARCH_APK_INDEX, id=sha256, body={'doc': {'quark': json_report}},
retry_on_conflict=5)
else:
es.update(index=settings.ELASTICSEARCH_TASKS_INDEX, id=sha256, body={'doc': {'quark_analysis': -1}},
retry_on_conflict=5)
del json_report, rules_list, data
return {'status': 'success', 'info': ''}
def quark_analysis(app_dir, apk_file):
"""QUARK Analysis of APK files."""
if not getattr(settings, 'QUARK_ENABLED', True):
return []
try:
import quark
except ImportError:
logger.error('Failed to import Quark')
return []
if not Path(apk_file).exists():
logger.error('APK not found')
return []
quark_ver = quark.__version__
from quark import config
from quark.freshquark import download
from quark.Objects.quark import Quark
from quark.Objects.quarkrule import QuarkRule
logger.info('Running Quark %s', quark_ver)
json_report = {}
try:
# freshquark: update quark rules
download()
# default rules path
rules_dir = Path(f'{config.HOME_DIR}quark-rules')
# Load APK
data = Quark(apk_file)
# Load rules
rules_list = rules_dir.rglob('*.json')
for rule_file in rules_list:
rule_checker = QuarkRule(rule_file.as_posix())
# Run the checker
data.run(rule_checker)
data.generate_json_report(rule_checker)
json_report = data.get_json_report()
# Clear all functools.lru_cache from quark
data.apkinfo.find_method.cache_clear()
data.apkinfo.upperfunc.cache_clear()
data.apkinfo.get_wrapper_smali.cache_clear()
data.apkinfo.construct_bytecode_instruction.cache_clear()
except Exception:
logger.exception('Quark APK Analysis')
return _convert_report(json_report, app_dir)
def result(scope="function"):
apk_file = "quark/sample/14d9f1a92dd984d6040cc41ed06e273e.apk"
data = Quark(apk_file)
# rule
rules = "quark/rules"
rules_list = os.listdir(rules)
for single_rule in rules_list:
if single_rule.endswith("json"):
rulepath = os.path.join(rules, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.generate_json_report(rule_checker)
yield data
def result(scope="function"):
r = requests.get(APK_SOURCE, allow_redirects=True)
open(APK_FILENAME, "wb").write(r.content)
apk_file = APK_FILENAME
data = Quark(apk_file)
# rule
rules = "quark/rules"
rules_list = os.listdir(rules)
for single_rule in rules_list:
if single_rule.endswith("json"):
rulepath = os.path.join(rules, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.generate_json_report(rule_checker)
yield data
def entry_point(summary, detail, apk, folder, rule, output, graph,
classification, threshold):
"""Quark is an Obfuscation-Neglect Android Malware Scoring System"""
if apk:
# Load APK
datas = []
datas.append(Quark(apk))
elif folder:
# Load APK Files from specific folder
datas = []
for roots, dirs, files in os.walk(str(folder)):
for f in files:
if f.endswith(".apk"):
datas.append(Quark(os.path.join(roots, f)))
else:
# Set folder to be "./" & Load folder
folder = "./"
datas = []
for roots, dirs, files in os.walk(str(folder)):
for f in files:
if f.endswith(".apk"):
datas.append(Quark(os.path.join(roots, f)))
if summary:
# Show summary report
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
for data in datas:
data.run(rule_checker)
data.show_summary_report(rule_checker, threshold)
for data in datas:
w = Weight(data.quark_analysis.score_sum,
data.quark_analysis.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.quark_analysis.score_sum))
print(data.quark_analysis.summary_report_table)
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
if detail:
# Show detail report
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
print(rulepath)
rule_checker = QuarkRule(rulepath)
# Run the checker
for data in datas:
data.run(rule_checker)
data.show_detail_report(rule_checker)
print_success("OK")
for data in datas:
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
if output:
# show json report
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
for data in datas:
data.run(rule_checker)
data.generate_json_report(rule_checker)
for data in datas:
json_report = data.get_json_report()
with open(output, "w") as file:
json.dump(json_report, file, indent=4)
file.close()
def entry_point(summary, detail, apk, rule, output, graph, classification):
"""Quark is an Obfuscation-Neglect Android Malware Scoring System"""
if summary:
# show summary report
# Load APK
data = Quark(apk)
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.show_summary_report(rule_checker)
w = Weight(data.quark_analysis.score_sum,
data.quark_analysis.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.quark_analysis.score_sum))
print(data.quark_analysis.summary_report_table)
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
if detail:
# show summary report
# Load APK
data = Quark(apk)
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
print(rulepath)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.show_detail_report(rule_checker)
print_success("OK")
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
if output:
# show json report
# Load APK
data = Quark(apk)
# Load rules
rules_list = os.listdir(rule)
for single_rule in tqdm(rules_list):
if single_rule.endswith("json"):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.generate_json_report(rule_checker)
json_report = data.get_json_report()
with open(output, "w") as f:
json.dump(json_report, f, indent=4)
f.close()
def entry_point(
summary, detail, apk, rule, output, graph, classification, threshold, list
):
"""Quark is an Obfuscation-Neglect Android Malware Scoring System"""
# Load APK
data = Quark(apk)
# Load rules
rules_list = [x for x in os.listdir(rule) if x.endswith("json")]
# Show summary report
if summary:
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.show_summary_report(rule_checker, threshold)
w = Weight(data.quark_analysis.score_sum, data.quark_analysis.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.quark_analysis.score_sum))
print(data.quark_analysis.summary_report_table)
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
# Show detail report
if detail:
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
print(rulepath)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.show_detail_report(rule_checker)
print_success("OK")
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
# Show JSON report
if output:
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.generate_json_report(rule_checker)
json_report = data.get_json_report()
with open(output, "w") as file:
json.dump(json_report, file, indent=4)
file.close()
if list:
for api in data.apkinfo.android_apis:
print(api.full_name)
def entry_point(
summary,
detail,
apk,
rule,
output,
graph,
classification,
threshold,
list,
permission,
label,
):
"""Quark is an Obfuscation-Neglect Android Malware Scoring System"""
# Load APK
data = Quark(apk)
# Load rules
rules_list = [x for x in os.listdir(rule) if x.endswith("json")]
if label:
all_labels = {}
# dictionary containing
# key: label
# value: list of confidence values
# $ print(all_rules["accessibility service"])
# > [60, 40, 60, 40, 60, 40]
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
confidence = rule_checker.check_item.count(True) * 20
labels = rule_checker._label # array type, e.g. ['network', 'collection']
for single_label in labels:
if single_label in all_labels:
all_labels[single_label].append(confidence)
else:
all_labels[single_label] = [confidence]
# get how many label with max confidence >= 80%
counter_high_confidence = 0
for single_label in all_labels:
if max(all_labels[single_label]) >= 80:
counter_high_confidence += 1
print_info("Total Label found: " + yellow(str(len(all_labels))))
print_info("Rules with label which max confidence >= 80%: " +
yellow(str(counter_high_confidence)))
data.show_label_report(rule, all_labels, label)
print(data.quark_analysis.label_report_table)
# Show summary report
if summary:
if summary == "all_rules":
label_flag = False
elif summary.endswith("json"):
rules_list = [summary]
label_flag = False
else:
label_flag = True
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
labels = rule_checker._label
if label_flag:
if summary not in labels:
continue
# Run the checker
data.run(rule_checker)
data.show_summary_report(rule_checker, threshold)
w = Weight(data.quark_analysis.score_sum,
data.quark_analysis.weight_sum)
print_warning(w.calculate())
print_info("Total Score: " + str(data.quark_analysis.score_sum))
print(data.quark_analysis.summary_report_table)
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
# Show detail report
if detail:
if detail == "all_rules":
label_flag = False
elif detail.endswith("json"):
rules_list = [detail]
label_flag = False
else:
label_flag = True
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
labels = rule_checker._label
if label_flag:
if detail not in labels:
continue
# Run the checker
data.run(rule_checker)
print("Rulepath: " + rulepath)
print("Rule crime: " + rule_checker._crime)
data.show_detail_report(rule_checker)
print_success("OK")
if classification:
data.show_rule_classification()
if graph:
data.show_call_graph()
# Show JSON report
if output:
for single_rule in tqdm(rules_list):
rulepath = os.path.join(rule, single_rule)
rule_checker = QuarkRule(rulepath)
# Run the checker
data.run(rule_checker)
data.generate_json_report(rule_checker)
json_report = data.get_json_report()
with open(output, "w") as file:
json.dump(json_report, file, indent=4)
file.close()
if list:
if list == "all":
for all_method in data.apkinfo.all_methods:
print(all_method.full_name)
if list == "native":
for api in data.apkinfo.android_apis:
print(api.full_name)
if list == "custom":
for custom_method in data.apkinfo.custom_methods:
print(custom_method.full_name)
if permission:
for p in data.apkinfo.permissions:
print(p)
