Add docs for DawDropper

[zinwang]

New Quark Rules For DawDropper

New Quark rules (#​243 - #​245) are now available. These rules target DawDropper, a malware family that downloads and installs additional APKs. Check here for the rule details.

With these rules, Quark is now able to identify the DawDropper malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.

Below is a summary report of a DawDropper sample (a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.

Identified Well-Known Threats

With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify two well-known threats from DawDropper, as shown below.

1. Download APKs from remote servers

The behavior map shows that the Lcom/techmediapro/photoediting/core/MainActivity;N0 function downloads a file from a URL. If the URL points to an APK, it indicates that the function downloads an additional APK from a remote server.

Behaviors detected by Quark:

• Connect to a URL and read data from it (#​00243)
• Write data to a file (#​00244)

2. Install additional APKs

The behavior map shows that the Lcom/techmediapro/photoediting/core/MainActivity;S0 function installs additional APKs.

Behaviors detected by Quark:

• Install other APKs from file (#​00245)

List of Tested APKs

The table below lists the APKs we tested.

index	sha256
1	022a01566d6033f6d90ab182c4e69f80a3851565aaaa386c8fa1a9435cb55c91
2	02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4
3	05b3e4071f62763b3925fca9db383aeaad6183c690eecbbf532b080dfa6a5a08
4	71c44a78cd77a8f5767096f268c3193108ac06ff3779c65e78bc879d3b0ff11d
5	77f226769eb1a886606823d5b7832d92f678f0c2e1133f3bbee939b256c398aa
6	8fef8831cbc864ffe16e281b0e4af8e3999518c15677866ac80ffb9495959637
7	9b2064f8808d3aaa2d3dc9f5c7ee0775b29e29df3a958466a8953f148b702461
8	a1298cc00605c79679f72b22d5c9c8e5c8557218458d6a6bd152b2c2514810eb
9	b4bd13770c3514596dd36854850a9507e5734374083a0e4299c697b6c9b9ec58
10	d5ac8e081298e3b14b41f2134dae68535bcf740841e75f91754d3d0c0814ed42

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.10%. Comparing base (ffd44c8) to head (0883cee).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #822   +/-   ##
=======================================
  Coverage   81.10%   81.10%           
=======================================
  Files          75       75           
  Lines        6372     6372           
=======================================
  Hits         5168     5168           
  Misses       1204     1204           

Flag	Coverage Δ
unittests	81.10% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[haeter525]

LGTM. Thanks for the PR