Black Hat Arsenal Black Hat Arsenal HITB defcon
build status codecov license python version PyPi Download
Twitter

## Malware Family Analysis Report Showcase
| Family | Summary | Signature Behaviors | Report | |-------------|----------------------------------------------------|--------------------------|--------| | DroidKungFu | Privilege escalation with C2 control. | 1. Gain unlimited access to a device.
2. Install/Uninstall additional apps.
3. Forward confidential data. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-droidkungfu) | | GoldDream | SMS/call log exfiltration with remote C2 commands. | 1. Monitor SMS messages and phone calls.
2. Upload SMS messages and phone calls to remote servers. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-golddream) | | SpyNote | Credential theft and device surveillance via RAT. | 1. Take screenshots.
2. Simulate user gestures.
3. Log user input.
4. Communicate with C2 servers. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-spynote) | | DawDropper | Dropper that installs banking trojans for financial theft. | 1. Download APKs from remote servers.
2. Install additional APKs. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-dawdropper) | | SLocker | Android ransomware locking/encrypting devices. | 1. Lock the device with an overlay screen. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-slocker) | | PhantomCard | NFC relay–based financial fraud. | 1. Communicate with C2 servers.
2. Read the payment data of NFC cards.
3. Captures PINs of NFC cards through deceptive screens. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-phantomcard) | | ToxicPanda | Banking trojan enabling on-device fraud. | 1. Abuse Accessibility.
2. Remote device control.
3. Intercept OTP. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-toxicpanda) | | Hydra | Banking trojan using overlay attacks. | 1. Overlay credential theft.
2. Accessibility abuse.
3. Steal OTP/cookies. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-hydra) | | SharkBot | Banking trojan targeting financial credentials and transactions. | 1. Abuse Accessibility services.
2. Perform overlay attacks to steal credentials.
3. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-sharkbot) | | Antidot | Banking trojan disguised as legitimate updates for financial data theft. | 1. Intercept SMS messages (OTP).
2. Log user input (keylogging).
3. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-antidot) | | Arsink | Banking trojan focusing on credential and financial data exfiltration. | 1. Steal sensitive data from device.
2. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-arsink) | | TrickMo | Banking trojan using overlay attacks and accessibility abuse for credential theft. | 1. Overlay attacks to steal banking credentials.
2. Intercept SMS for 2FA bypass.
3. Screen recording and accessibility abuse.
4. Dynamic payload loading via reflection. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-trickmo) | | Anubis | Banking trojan with RAT capabilities. | 1. Overlay credential theft.
2. Keylogging.
3. Intercept SMS (OTP).
4. Remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-anubis) | | GodFather | Banking trojan targeting financial credentials through overlay and accessibility abuse. | 1. Perform overlay attacks to steal credentials.
2. Abuse Accessibility services.
3. Intercept SMS messages (OTP).
4. Steal banking credentials and sensitive data. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-godfather) | | TangleBot | SMS-based Android malware stealing personal and financial data. | 1. Spread through SMS phishing links.
2. Control device interactions and overlay screens.
3. Access SMS, contacts, call logs, camera, and microphone.
4. Steal account and financial information. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-tanglebot) | | BRATA | Banking trojan with remote control and anti-analysis capabilities. | 1. Perform overlay attacks to steal banking credentials.
2. Abuse Accessibility services for device control.
3. Intercept SMS messages (OTP).
4. Execute factory reset or device wipe commands. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-brata) | | Cerberus | Banking trojan targeting financial credentials through overlay and device control. | 1. Perform overlay attacks to steal credentials.
2. Abuse Accessibility services.
3. Log user input (keylogging).
4. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-cerberus) | | SuperCardX | NFC relay malware enabling contactless payment fraud. | 1. Read NFC payment card data.
2. Relay NFC transactions to attacker-controlled devices.
3. Communicate with C2 servers.
4. Facilitate unauthorized contactless payments. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-supercardx) | ## Quick Start ### Step 1. Install via PyPi Install the latest version of Quark Engine: ```bash $ pip3 install -U quark-engine ``` ### Step 2. Download Latest Rules Fetch the latest rule database: ```bash $ freshquark ``` ### Step 3. Run Summary Report Analyze an APK with the downloaded rules and generate a summary report: ```bash $ quark -a -s ``` ### Step 4. View Results Example output: Screenshot-2025-11-25-22-36-54 ## Acknowledgments ### The Honeynet Project Honeynet.org logo ### Google Summer Of Code Quark-Engine has been participating in the GSoC under the Honeynet Project! * 2021: * [YuShiang Dang](https://twitter.com/YushianhD): [New Rule Generation Technique & Make Quark Everywhere Among Security Open Source Projects](https://github.com/ev-flow/ref/blob/main/GSoC-2021-YuShiangDang.md) * [Sheng-Feng Lu](https://twitter.com/haeter525): [Replace the core library of Quark-Engine](https://github.com/ev-flow/ref/blob/main/GSoC-2021-ShengFengLu.md) Stay tuned for the upcoming GSoC! Join the [Honeynet Slack chat](https://gsoc-slack.honeynet.org/) for more info. ## Core Values of Quark Engine Team * We love **battle fields**. We embrace **uncertainties**. We challenge **impossibles**. We **rethink** everything. We change the way people think. And the most important of all, we benefit ourselves by benefit others **first**.