From 469e34c7cd7dbcdae995497275b6150050c8612e Mon Sep 17 00:00:00 2001 From: Shaun Dang Date: Fri, 16 Jan 2026 11:17:56 +0800 Subject: [PATCH 1/2] Revise README for Android Malware Ontology and features Updated README to reflect new project focus and features. --- README.md | 110 ++++++++++++++++++++---------------------------------- 1 file changed, 40 insertions(+), 70 deletions(-) diff --git a/README.md b/README.md index 17330bc95..7249af1da 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ build status - codecov + codecov license @@ -32,89 +32,59 @@

-# New Features Coming Soon to Quark Agent +# Android Malware Ontology — Unveil the Behavior of Android Malware +## Malware Family Analysis Report Showcase + + + + + + + + + + + +
-![Oct-11-2024 17-27-46](https://github.com/user-attachments/assets/6643b80b-bd85-450a-b646-9ef1a8b55bc3) +| Family | Summary | Signature Behaviors | Report | +|-------------|----------------------------------------------------|--------------------------|--------| +| DroidKungFu | Privilege escalation with C2 control. | 1. Gain unlimited access to a device.
2. Install/Uninstall additional apps.
3. Forward confidential data. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-droidkungfu) | +| GoldDream | SMS/call log exfiltration with remote C2 commands. | 1. Monitor SMS messages and phone calls.
2. Upload SMS messages and phone calls to remote servers. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-golddream) | +| SpyNote | Credential theft and device surveillance via RAT. | 1. Take screenshots.
2. Simulate user gestures.
3. Log user input.
4. Communicate with C2 servers. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-spynote) | +| DawDropper | Dropper that installs banking trojans for financial theft. | 1. Download APKs from remote servers.
2. Install additional APKs. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-dawdropper) | +| SLocker | Android ransomware locking/encrypting devices. | 1. Lock the device with an overlay screen. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-slocker) | +| PhantomCard | NFC relay–based financial fraud. | 1. Communicate with C2 servers.
2. Read the payment data of NFC cards.
3. Captures PINs of NFC cards through deceptive screens. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-phantomcard) | -![Screenshot 2024-09-26 at 2 40 55 PM](https://github.com/user-attachments/assets/9a83b256-1b9f-480f-a061-2400e2e868bc) -Screenshot 2024-09-26 at 2 41 52 PM -We are currently focused on: -- The next step of the detection process for auto-suggestion. -- Effortlessly create detection workflows with natural language—no coding required. -- Easily adjust and refine workflows through an intuitive drag-and-drop interface. -- Instantly update and integrate changes as Quark Agent understands and adapts to workflow modifications. - -We are committed to providing an intuitive and user-friendly experience, enabling users to design detection workflows seamlessly through both textual and visual methods. - -Many features are still under development and fine-tuning, and we will roll them out step by step as they become ready. - -If you have any suggestions, please don’t hesitate to share them with us! - -To stay updated with the latest news, make sure to watch our GitHub repository and follow us on [X (Twitter)](https://twitter.com/quarkengine). - -# Quark Agent - Your AI-powered Android APK Analyst - -![quark agent demo](https://hackmd.io/_uploads/By6ggTni0.png) - -With Quark Agent, you can perform analyses using only natural language. It creates Quark Script code following your ideas and adjusts the code promptly as you provide feedback. - -# Showcase: - -Here’s a demonstration of using Quark Agent to detect the CWE-798 vulnerability in the ovaa.apk file. - -### Step 1: Environments Requirements - -* Make sure your Python version is 3.10 or above. - -### Step 2: Install Quark Agent - -* Install Quark Agent by running: +## Quick Start +### Step 1. Install via PyPi +Install the latest version of Quark Engine: ```bash -git clone https://github.com/quark-engine/quark-engine.git && cd quark-engine -pip install .[QuarkAgent] +$ pip3 install -U quark-engine ``` -### Step 3: Prepare the Detection Rule and the Sample File - +### Step 2. Download Latest Rules +Fetch the latest rule database: ```bash -. -├── ... -├── quark - ├── ... - ├── agent # Put rule file and sample file here - ├── ... +$ freshquark ``` -You can download the **rule file** [here](https://github.com/quark-engine/quark-script/blob/main/constructCryptoGraphicKey.json) and the **sample file** [here](https://github.com/oversecured/ovaa). - -### Step 4: Add your OpenAI API key - -Add your OpenAI API key in `quarkAgentWeb.py` - -```python -os.environ["OPENAI_API_KEY"] = 'your-api-key-here' -``` - -### Step 5: Run Quark Agent - +### Step 3. Run Summary Report +Analyze an APK with the downloaded rules and generate a summary report: ```bash -$ cd quark/agent -$ python3 quarkAgentWeb.py - -# You can now chat with Quark Agent in your browser. -# The default URL is http://127.0.0.1:5000 +$ quark -a -s ``` +### Step 4. View Results +Example output: +Screenshot-2025-11-25-22-36-54 -Open a browser and navigate to `127.0.0.1:5000` to start using Quark Agent - -See more CWE detections using [quark scripts](https://quark-engine.readthedocs.io/en/latest/quark_script.html) and play them with Quark Agent ! -# Acknowledgments +## Acknowledgments ### The Honeynet Project @@ -125,11 +95,11 @@ See more CWE detections using [quark scripts](https://quark-engine.readthedocs.i Quark-Engine has been participating in the GSoC under the Honeynet Project! * 2021: - * [YuShiang Dang](https://twitter.com/YushianhD): [New Rule Generation Technique & Make Quark Everywhere Among Security Open Source Projects](https://quark-engine.github.io/2021/08/17/GSoC-2021-YuShiangDang/) - * [Sheng-Feng Lu](https://twitter.com/haeter525): [Replace the core library of Quark-Engine](https://quark-engine.github.io/2021/08/17/GSoC-2021-ShengFengLu/) + * [YuShiang Dang](https://twitter.com/YushianhD): [New Rule Generation Technique & Make Quark Everywhere Among Security Open Source Projects](https://github.com/ev-flow/ref/blob/main/GSoC-2021-YuShiangDang.md) + * [Sheng-Feng Lu](https://twitter.com/haeter525): [Replace the core library of Quark-Engine](https://github.com/ev-flow/ref/blob/main/GSoC-2021-ShengFengLu.md) Stay tuned for the upcoming GSoC! Join the [Honeynet Slack chat](https://gsoc-slack.honeynet.org/) for more info. -# Core Values of Quark Engine Team +## Core Values of Quark Engine Team * We love **battle fields**. We embrace **uncertainties**. We challenge **impossibles**. We **rethink** everything. We change the way people think. And the most important of all, we benefit ourselves by benefit others **first**. From 177cfad0310c878bf96a562774f923d001d25ab4 Mon Sep 17 00:00:00 2001 From: Shaun Dang Date: Fri, 16 Jan 2026 11:39:43 +0800 Subject: [PATCH 2/2] Update title for Android Malware section --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 7249af1da..cbb126343 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,6 @@

-# Android Malware Ontology — Unveil the Behavior of Android Malware ## Malware Family Analysis Report Showcase