CabConModding
Facebook
Twitter
youtube
Discord
Contact us
RSS
Menu
CabConModding
Home
New
Top
Premium
Rules
FAQ - Frequently Asked Questions
Games
Fornite
Call of Duty: Black Ops 3
Clash of Clans
Grand Theft Auto 5
Apex Legends
Assassin’s Creed Origins
Forums
Premium
Latest posts
What's new
Latest posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Log in
Register
What's new
Premium
Latest posts
Menu
Log in
Register
Navigation
Install the app
Install
More options
Dark Theme
Contact us
Close Menu
Forums
Mobile Section
Android
Quark Engine - An Obfuscation-Neglect Android Malware Scoring System
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="NordCFW" data-source="post: 51553" data-attributes="member: 101324"><p><strong>Overview:</strong></p><p></p><p>Android malware analysis engine is not a new story. Every antivirus company has their own secrets to build it. With curiosity, we develop a malware scoring system from the perspective of Taiwan Criminal Law in an easy but solid way. They have an order theory of criminal which explains stages of committing a crime. For example, crime of murder consists of five stages, they are determined, conspiracy, preparation, start and practice. The latter the stage the more we’re sure that the crime is practiced. According to the above principle, we developed our order theory of android malware. We develop five stages to see if the malicious activity is being practiced. </p><ul> <li data-xf-list-type="ul">They are 1. Permission requested. </li> <li data-xf-list-type="ul">2. Native API call. </li> <li data-xf-list-type="ul">3. Certain combination of native API. </li> <li data-xf-list-type="ul">4. Calling sequence of native API. </li> <li data-xf-list-type="ul">5. APIs that handle the same register.</li> </ul><p>They not only define malicious activities and their stages but also develop weights and thresholds for calculating the threat level of a malware. Malware evolved with new techniques to gain difficulties for reverse engineering. Obfuscation is one of the most commonly used techniques. In this talk, we present a Dalvik bytecode loader with the order theory of android malware to neglect certain cases of obfuscation.</p><p></p><p>Dalvik bytecode loader consists of functionalities such as :</p><ul> <li data-xf-list-type="ul">1. Finding cross reference and calling sequence of the native API. </li> <li data-xf-list-type="ul">2. Tracing the bytecode register. </li> </ul><p>The combination of these functionalities (yes, the order theory) not only can neglect obfuscation but also match perfectly to the design of our malware scoring system.</p><p><strong>Detail Report:</strong></p><p></p><p>This is a how we examine a real android malware (candy corn) with one single rule (crime).</p><p>[CODE]$ quark -a sample/14d9f1a92dd984d6040cc41ed06e273e.apk \</p><p>-r rules/ \</p><p>--detail[/CODE]</p><p></p><p><img src="https://camo.githubusercontent.com/55b34ad08e132b84bd636338d6c2b93a65429926/68747470733a2f2f692e696d6775722e636f6d2f6b68316a7073512e706e67" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><strong>Summary Report:</strong></p><p>Examine the rules.</p><p>[CODE]quark -a sample/14d9f1a92dd984d6040cc41ed06e273e.apk \</p><p> -r rules/ \</p><p> --summary[/CODE]</p><p><img src="https://camo.githubusercontent.com/b81343efee95198d37384bed34666623bfe1f314/68747470733a2f2f692e696d6775722e636f6d2f4962303156366b2e706e67" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><strong>Download:</strong></p><p><strong>[URL unfurl="true"]https://github.com/quark-engine/quark-engine[/URL]</strong></p></blockquote><p></p>
[QUOTE="NordCFW, post: 51553, member: 101324"] [B]Overview:[/B] Android malware analysis engine is not a new story. Every antivirus company has their own secrets to build it. With curiosity, we develop a malware scoring system from the perspective of Taiwan Criminal Law in an easy but solid way. They have an order theory of criminal which explains stages of committing a crime. For example, crime of murder consists of five stages, they are determined, conspiracy, preparation, start and practice. The latter the stage the more we’re sure that the crime is practiced. According to the above principle, we developed our order theory of android malware. We develop five stages to see if the malicious activity is being practiced. [LIST] [*]They are 1. Permission requested. [*]2. Native API call. [*]3. Certain combination of native API. [*]4. Calling sequence of native API. [*]5. APIs that handle the same register. [/LIST] They not only define malicious activities and their stages but also develop weights and thresholds for calculating the threat level of a malware. Malware evolved with new techniques to gain difficulties for reverse engineering. Obfuscation is one of the most commonly used techniques. In this talk, we present a Dalvik bytecode loader with the order theory of android malware to neglect certain cases of obfuscation. Dalvik bytecode loader consists of functionalities such as : [LIST] [*]1. Finding cross reference and calling sequence of the native API. [*]2. Tracing the bytecode register. [/LIST] The combination of these functionalities (yes, the order theory) not only can neglect obfuscation but also match perfectly to the design of our malware scoring system. [B]Detail Report:[/B] This is a how we examine a real android malware (candy corn) with one single rule (crime). [CODE]$ quark -a sample/14d9f1a92dd984d6040cc41ed06e273e.apk \ -r rules/ \ --detail[/CODE] [IMG]https://camo.githubusercontent.com/55b34ad08e132b84bd636338d6c2b93a65429926/68747470733a2f2f692e696d6775722e636f6d2f6b68316a7073512e706e67[/IMG] [B]Summary Report:[/B] Examine the rules. [CODE]quark -a sample/14d9f1a92dd984d6040cc41ed06e273e.apk \ -r rules/ \ --summary[/CODE] [IMG]https://camo.githubusercontent.com/b81343efee95198d37384bed34666623bfe1f314/68747470733a2f2f692e696d6775722e636f6d2f4962303156366b2e706e67[/IMG] [B]Download: [URL unfurl="true"]https://github.com/quark-engine/quark-engine[/URL][/B] [/QUOTE]
Verification
Post reply
Forums
Mobile Section
Android
Quark Engine - An Obfuscation-Neglect Android Malware Scoring System
CabConModding is now on facebook! Check the latest Updates, the Site Status and much more now!
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
Accept
Learn more…
Top