From 36f070a878ec3052251422bfd8d35bde41a43b31 Mon Sep 17 00:00:00 2001 From: zinwang Date: Tue, 23 Sep 2025 21:17:40 +0800 Subject: [PATCH 1/6] Add docs for spynote --- docs/source/quark_rules.rst | 113 ++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) diff --git a/docs/source/quark_rules.rst b/docs/source/quark_rules.rst index 282df143..8dc3a62f 100644 --- a/docs/source/quark_rules.rst +++ b/docs/source/quark_rules.rst @@ -736,3 +736,116 @@ The table below lists the APKs we tested. +-------+------------------------------------------------------------------+ | 22 | 969BCDB8DC4043483AB645AFFF4616A1845F2276EF4165475F6357D71508047C | +-------+------------------------------------------------------------------+ + + +New Quark Rules For SpyNote +=============================== + +New Quark rules (#238 - #242) are now available. These rules target `SpyNote `_\ , a malware family that takes screenshots, simulates user gestures, logs user input, and communicates with C2 servers. Check `here `_ for the rule details. + +With these rules, Quark is now able to identify the SpyNote malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here `_ for the APKs we tested. + +Below is a summary report of a SpyNote sample (\ ``0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. + + +.. image:: https://cdn.imgpile.com/f/qg9XDXG_xl.png + :target: https://cdn.imgpile.com/f/qg9XDXG_xl.png + :alt: + + +Identified Well-Known Threats +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +With Quark's `rule classification `_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from SpyNote, as shown below. + +**1. Take screenshots** + + +.. image:: https://i.postimg.cc/Pqqs73kx/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b5.png + :target: https://i.postimg.cc/Pqqs73kx/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b5.png + :alt: + + +The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService`` function extracts screenshot data from the hardware and compresses it as bitmap format. + +Behaviors detected by Quark: + + +* Extract screenshot data and compresses it as bitmap format (#238) + +**2. Simulate user gestures** + + +.. image:: https://i.postimg.cc/YS8PG930/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b1.png + :target: https://i.postimg.cc/YS8PG930/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b1.png + :alt: + + +The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/Perfct;clickByGesture`` function builds and dispatches a gesture description to simulate how the user operating the phone with fingers. + +Behaviors detected by Quark: + + +* Build a gesture description and dispatch it through an accessibility service (#240) + +**3. Log user input** + + +.. image:: https://i.postimg.cc/qMRvzhxh/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b2.png + :target: https://i.postimg.cc/qMRvzhxh/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b2.png + :alt: + + +The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService;checkPassword`` function obtains the text that describes a UI element. It also calls the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/FileUtils;writeText`` to log the data to a file. If the UI element is the keypad on the screen lock, the login password will be logged. + +Behaviors detected by Quark: + + +* Obtain the text that describes a UI element (#241) +* Write data to a file (#242) + +**4. Communicate with C2 servers** + + +.. image:: https://i.postimg.cc/CLNbVqLR/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b3.png + :target: https://i.postimg.cc/CLNbVqLR/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b3.png + :alt: + + +The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/hlshzietuthuztzpsjgswpikkmwdxkiqxbzdseqdoywzyerfhi4/CameraHandler$1;run`` function establishes a socket connection using a specific network address. The specific network address could be a malicious C2 server. + +Behaviors detected by Quark: + + +* Establish a socket connection using a specific network address (#239) + +List of Tested APKs +~~~~~~~~~~~~~~~~~~~ + +The table below lists the APKs we tested. + +.. list-table:: + :header-rows: 1 + + * - index + - sha256 + * - 1 + - 059b5f74e053c2966775157cd521580fcfaa3b1a7613560b8f499dbd9c11d4b4 + * - 2 + - 0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b + * - 3 + - 4b2b411e03aafaa19ea93286fadd39a5134f4a039db2d5019b1054547c0d5601 + * - 4 + - 5c01f7727c78dea9c89dccf92b01b4c45e69406e6462340779401497bf4d4589 + * - 5 + - 8c365bd58edeb2ca371ead5e28350ee6c480a79f558d967ecbef525e9f1d7b3e + * - 6 + - da4f59bdc91eaeaba238a8ba9602f7d5cc75f0892a92f5422e23b55accbbb2f0 + * - 7 + - dd7650a9cd3f853e109d2d0138ede785e1559d6c2d8c52eec2f2d9808a924f1c + * - 8 + - dee1eaaa8879a7d321ef4e698203be7b23eeda80a6dea3c70cbf3138597b1800 + * - 9 + - f46b863952599b91a4d2d682a80f345dfa03fad473d1938f2c53a3139c87a019 + * - 10 + - eec5096dfca6824317863f9225c29f6c4b3442c48fefa62dc382e3569bca5a60 \ No newline at end of file From 578d0f16bb44a358865f7da0ecb5a9b5c022e7e7 Mon Sep 17 00:00:00 2001 From: zinwang Date: Tue, 23 Sep 2025 21:25:07 +0800 Subject: [PATCH 2/6] Fix rule num --- docs/source/quark_rules.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/source/quark_rules.rst b/docs/source/quark_rules.rst index 8dc3a62f..87113b6d 100644 --- a/docs/source/quark_rules.rst +++ b/docs/source/quark_rules.rst @@ -771,7 +771,7 @@ The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvn Behaviors detected by Quark: -* Extract screenshot data and compresses it as bitmap format (#238) +* Extract screenshot data and compresses it as bitmap format (#00238) **2. Simulate user gestures** @@ -786,7 +786,7 @@ The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvn Behaviors detected by Quark: -* Build a gesture description and dispatch it through an accessibility service (#240) +* Build a gesture description and dispatch it through an accessibility service (#00240) **3. Log user input** @@ -801,8 +801,8 @@ The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvn Behaviors detected by Quark: -* Obtain the text that describes a UI element (#241) -* Write data to a file (#242) +* Obtain the text that describes a UI element (#00241) +* Write data to a file (#00242) **4. Communicate with C2 servers** @@ -817,7 +817,7 @@ The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvn Behaviors detected by Quark: -* Establish a socket connection using a specific network address (#239) +* Establish a socket connection using a specific network address (#00239) List of Tested APKs ~~~~~~~~~~~~~~~~~~~ From 39e8d34361ae2d287c757912895e0ff280b5959b Mon Sep 17 00:00:00 2001 From: zinwang Date: Wed, 24 Sep 2025 02:49:11 +0800 Subject: [PATCH 3/6] update docs --- docs/source/quark_rules.rst | 46 ++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/source/quark_rules.rst b/docs/source/quark_rules.rst index 87113b6d..66477a02 100644 --- a/docs/source/quark_rules.rst +++ b/docs/source/quark_rules.rst @@ -739,88 +739,88 @@ The table below lists the APKs we tested. New Quark Rules For SpyNote -=============================== +=========================== New Quark rules (#238 - #242) are now available. These rules target `SpyNote `_\ , a malware family that takes screenshots, simulates user gestures, logs user input, and communicates with C2 servers. Check `here `_ for the rule details. -With these rules, Quark is now able to identify the SpyNote malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here `_ for the APKs we tested. +With these rules, Quark is now able to identify the SpyNote malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested. Below is a summary report of a SpyNote sample (\ ``0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. -.. image:: https://cdn.imgpile.com/f/qg9XDXG_xl.png - :target: https://cdn.imgpile.com/f/qg9XDXG_xl.png +.. image:: https://i.postimg.cc/bNTSJtXn/Screenshot-2025-09-24-02-17-28-Screenshot-2025-09-24-02-17-51-Screenshot-2025-09-24-02-18-20.jpg + :target: https://i.postimg.cc/bNTSJtXn/Screenshot-2025-09-24-02-17-28-Screenshot-2025-09-24-02-17-51-Screenshot-2025-09-24-02-18-20.jpg :alt: Identified Well-Known Threats -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With Quark's `rule classification `_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from SpyNote, as shown below. **1. Take screenshots** -.. image:: https://i.postimg.cc/Pqqs73kx/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b5.png - :target: https://i.postimg.cc/Pqqs73kx/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b5.png +.. image:: https://i.postimg.cc/wMcJFd87/screenshot.png + :target: https://i.postimg.cc/wMcJFd87/screenshot.png :alt: -The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService`` function extracts screenshot data from the hardware and compresses it as bitmap format. +The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService`` function obtains screenshot data and converts it into bitmap format. Behaviors detected by Quark: -* Extract screenshot data and compresses it as bitmap format (#00238) +* Extract screenshot data to bitmap format (#00238) **2. Simulate user gestures** -.. image:: https://i.postimg.cc/YS8PG930/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b1.png - :target: https://i.postimg.cc/YS8PG930/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b1.png +.. image:: https://i.postimg.cc/k4yXpMG3/gesture.png + :target: https://i.postimg.cc/k4yXpMG3/gesture.png :alt: -The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/Perfct;clickByGesture`` function builds and dispatches a gesture description to simulate how the user operating the phone with fingers. +The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/Perfct;clickByGesture`` function simulates user finger gestures on a mobile phone. Behaviors detected by Quark: -* Build a gesture description and dispatch it through an accessibility service (#00240) +* Simulate user gestures (#00240) **3. Log user input** -.. image:: https://i.postimg.cc/qMRvzhxh/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b2.png - :target: https://i.postimg.cc/qMRvzhxh/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b2.png +.. image:: https://i.postimg.cc/pVcgt0r5/logging.png + :target: https://i.postimg.cc/pVcgt0r5/logging.png :alt: -The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService;checkPassword`` function obtains the text that describes a UI element. It also calls the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/FileUtils;writeText`` to log the data to a file. If the UI element is the keypad on the screen lock, the login password will be logged. +The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService;checkPassword`` function obtains the description of a UI element. It also calls the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/FileUtils;writeText`` to log the data to a file. If the UI element is a button on the lock screen, the user's password can be logged. Behaviors detected by Quark: -* Obtain the text that describes a UI element (#00241) +* Get the description of a UI element (#00241) * Write data to a file (#00242) **4. Communicate with C2 servers** -.. image:: https://i.postimg.cc/CLNbVqLR/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b3.png - :target: https://i.postimg.cc/CLNbVqLR/0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b3.png +.. image:: https://i.postimg.cc/cCHZkQPw/connect.png + :target: https://i.postimg.cc/cCHZkQPw/connect.png :alt: -The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/hlshzietuthuztzpsjgswpikkmwdxkiqxbzdseqdoywzyerfhi4/CameraHandler$1;run`` function establishes a socket connection using a specific network address. The specific network address could be a malicious C2 server. +The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/hlshzietuthuztzpsjgswpikkmwdxkiqxbzdseqdoywzyerfhi4/CameraHandler$1;run`` function establishes a connection to an IP address, which could be a malicious C2 server. Behaviors detected by Quark: -* Establish a socket connection using a specific network address (#00239) +* Establish a connection to an IP address (#00239) List of Tested APKs -~~~~~~~~~~~~~~~~~~~ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The table below lists the APKs we tested. @@ -848,4 +848,4 @@ The table below lists the APKs we tested. * - 9 - f46b863952599b91a4d2d682a80f345dfa03fad473d1938f2c53a3139c87a019 * - 10 - - eec5096dfca6824317863f9225c29f6c4b3442c48fefa62dc382e3569bca5a60 \ No newline at end of file + - eec5096dfca6824317863f9225c29f6c4b3442c48fefa62dc382e3569bca5a60 From 0b558c44a35dfd9021690a93b9770121f68745de Mon Sep 17 00:00:00 2001 From: zinwang Date: Wed, 24 Sep 2025 03:00:57 +0800 Subject: [PATCH 4/6] update docs --- docs/source/quark_rules.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/source/quark_rules.rst b/docs/source/quark_rules.rst index 66477a02..88ad33a2 100644 --- a/docs/source/quark_rules.rst +++ b/docs/source/quark_rules.rst @@ -743,7 +743,7 @@ New Quark Rules For SpyNote New Quark rules (#238 - #242) are now available. These rules target `SpyNote `_\ , a malware family that takes screenshots, simulates user gestures, logs user input, and communicates with C2 servers. Check `here `_ for the rule details. -With these rules, Quark is now able to identify the SpyNote malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested. +With these rules, Quark is now able to identify the SpyNote malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here ` for the APKs we tested. Below is a summary report of a SpyNote sample (\ ``0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. @@ -819,6 +819,8 @@ Behaviors detected by Quark: * Establish a connection to an IP address (#00239) +.. _list-of-tested-apks-spynote: + List of Tested APKs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From 720645f1aae86446d4187b3010a6c5972c74e27b Mon Sep 17 00:00:00 2001 From: zinwang Date: Wed, 24 Sep 2025 10:43:25 +0800 Subject: [PATCH 5/6] update docs --- docs/source/quark_rules.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/source/quark_rules.rst b/docs/source/quark_rules.rst index 88ad33a2..d1409787 100644 --- a/docs/source/quark_rules.rst +++ b/docs/source/quark_rules.rst @@ -748,8 +748,8 @@ With these rules, Quark is now able to identify the SpyNote malware family as hi Below is a summary report of a SpyNote sample (\ ``0713a683567125ea6fdff233cfa850b36a0d2c7d7c964510405cbdf669fe2a8b``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence. -.. image:: https://i.postimg.cc/bNTSJtXn/Screenshot-2025-09-24-02-17-28-Screenshot-2025-09-24-02-17-51-Screenshot-2025-09-24-02-18-20.jpg - :target: https://i.postimg.cc/bNTSJtXn/Screenshot-2025-09-24-02-17-28-Screenshot-2025-09-24-02-17-51-Screenshot-2025-09-24-02-18-20.jpg +.. image:: https://i.postimg.cc/4NYt9kTb/Screenshot-2025-09-24-10-00-28-Screenshot-2025-09-24-10-03-382.jpg + :target: https://i.postimg.cc/4NYt9kTb/Screenshot-2025-09-24-10-00-28-Screenshot-2025-09-24-10-03-382.jpg :alt: From c842f0da6efbbf4c8568c15eb3aba356f8922a49 Mon Sep 17 00:00:00 2001 From: zinwang Date: Wed, 24 Sep 2025 10:43:47 +0800 Subject: [PATCH 6/6] update docs --- docs/source/quark_rules.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/quark_rules.rst b/docs/source/quark_rules.rst index d1409787..4652643c 100644 --- a/docs/source/quark_rules.rst +++ b/docs/source/quark_rules.rst @@ -796,7 +796,7 @@ Behaviors detected by Quark: :alt: -The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService;checkPassword`` function obtains the description of a UI element. It also calls the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/FileUtils;writeText`` to log the data to a file. If the UI element is a button on the lock screen, the user's password can be logged. +The behavior map shows that the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/keydkuycdcczonreivsieapzgrzkejxcowwsziydpvouihgqnu3/AccessService;checkPassword`` function obtains the description of a UI element. It also calls the ``Lcom/maintain/gybbpabtniopoetzeacrkmlxdhuvgpvnwtahmsaxmtnaltfrgf2/FileUtils;writeText`` to log the data to a file. If the UI element is a keypad button on the lock screen, the user's password can be logged. Behaviors detected by Quark: