Add new Quark rules for BRATA malware detection#917
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #917 +/- ##
=======================================
Coverage 81.40% 81.40%
=======================================
Files 80 80
Lines 6969 6969
=======================================
Hits 5673 5673
Misses 1296 1296
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
pulorsok
force-pushed
the
add-brata-report
branch
4 times, most recently
from
3d3a06f to
740cadf
Compare
Add a malware report section for the BRATA Android banking trojan (MITRE ATT&CK Mobile S1094) covering rule ev-flow#276. The report walks through 4 techniques the family employs — security software discovery, screen capture, input injection, and data from local system — with a behavior map and rule citations for each.
Sync the BRATA section with the same structure used for GodFather and TangleBot: * Restructure intro — move MITRE framing and sample provenance from intro into the "Identified Well-Known Threats" section, leaving the intro to just the rule announcement and accuracy claim. * Reorder each technique block: MITRE definition now comes before the behavior map image so readers see the technique definition first, then the Quark evidence. * Drop the "Cluster reflects ... see description below" disclaimer and fold the cluster-to-technique rationale directly into the descriptive prose for T1418.001. * Drop the T1516 Input Injection section entirely. Its image file was missing (the behavior_map step did not render or upload it) and the section had no "Behaviors detected by Quark" bullet list, so the rendered output would have shown a broken image link with no rule citations. The T1516 row in the MITRE table is removed too so the table and the per-technique walkthrough stay aligned. * Fix spelling and style: behaviour -> behavior, BRATA capitalisation in prose, drop "sample(s)" plural marker, "literature profile" -> "documented profile". * Update intro wording to state that MITRE ATT&CK Mobile is the reference taxonomy and that the current Quark rule set detects all listed techniques statically from APK bytecode. * Add the missing blank line between the TangleBot APK table and the BRATA section heading so the RST renders cleanly.
* T1513 description: switch from plural "Combined, these APIs allow" to singular "This call enables" so the verb agrees with the single rule (ev-flow#210) cited below. * T1513 description: change adverbial "in real-time" to "in real time" (no hyphen for adverbial use; the hyphenated form is the adjective). * T1533 heading: lowercase "from" in "Data from Local System" to match MITRE's official wording and the row in the technique table.
The previous wording claimed BRATA "enumerates installed applications" and "lists every installed app", but the Quark cluster behind this section contains a single rule (ev-flow#265 "Get application info and label") — a one-shot application-metadata lookup, not an iteration over all installed apps. Rewrite the description to state what Quark actually observed (the single-app lookup primitive) and then explain that T1418.001 Security Software Discovery is the documented BRATA use case for that primitive — calling it against a list of known mobile-security product package names. This keeps the report's claims aligned with the underlying evidence.
pulorsok
force-pushed
the
add-brata-report
branch
from
20270d6 to
24d5582
Compare
The previous description claimed BRATA "harvests contact data including email addresses", but the behavior map does not support the email-address specificity. The three underlying rules (ev-flow#187, ev-flow#212, ev-flow#215) detect only generic ContentResolver/Cursor operations (query + moveToNext / getString / getCount) — none of them evidences extraction of a specific field such as email. The "email" wording was inferred from the B4A method name FindByMail, not from the detected behavior. Reword to state what the behavior map actually shows: generic content-provider reads via the app's B4A ContactsWrapper, whose contact-oriented method names indicate the contact database is the target, while explicitly noting the rules do not pin down a specific field.
The previous wording ("Quark observes the single-app lookup
primitive; ... calling this primitive against a list of known
mobile-security product package names ...") was dense and hard to
follow. Rewrite as three plain sentences: what Quark detected (a
single-app package-manager lookup), how malware turns that into
security-software discovery (querying known AV package names), and
the T1418.001 mapping plus its purpose (deciding whether to keep
operating or stay dormant).
Added BRATA banking trojan details to the README.
The BRATA rules PR was closed: analysis showed BRATA needs no new rule (its detectable behaviors are already covered by existing rules, and the only L5-passing candidate had no malware-vs-benign discrimination). The section intro still announced "New Quark rule (ev-flow#276) is now available", which is no longer true. Reword the heading and intro to state that Quark's existing rule set already detects BRATA, with no new rule required. The technique walkthrough is unchanged — it already cites only existing rules (ev-flow#265, ev-flow#210, ev-flow#187/ev-flow#212/ev-flow#215).
…Report" Align the section title with the wording used in the X post announcement.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brata Malware Family Analysis Report
Quark's existing rule set already detects the brata malware family — no new rule was required. Check here for the rule set.
With these rules, Quark is able to identify the brata malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. See tested APKs below.
Identified Well-Known Threats
This section uses MITRE ATT&CK Mobile as its reference taxonomy. The table below lists every technique documented for BRATA (per software entry S1094 BRATA) alongside how each manifests in real-world campaigns — all of which the current Quark rule set can detect statically from APK bytecode.
All behavior maps below were rendered from sample
2d15bc6c736c5422f3673d94c8f9d3d28ac1512eae6f459cd768842103266937.apk— chosen as the representative sample whose detected behaviors most fully cover the documented profile of BRATA. The other 21 family samples were used to compute the accuracy and precision figures above.Each section below corresponds to one technique from the table above. Within each section we first quote the MITRE definition, then show the Quark behavior map extracted from the representative sample's bytecode, then walk through the call sequence and list the underlying rules.
1. T1418.001 Security Software Discovery
T1418.001 Security Software Discovery — attack.mitre.org
The behavior map above shows BRATA querying the package manager for a single application's information and display label (
GetApplicationLabel). Malware uses this same lookup to check for security software: by querying the package names of known antivirus or mobile-security apps, it can tell whether any are installed. This is the Security Software Discovery (T1418.001) behavior documented for BRATA — it lets the malware decide whether to keep operating or stay dormant to avoid detection.Behaviors detected by Quark:
2. T1513 Screen Capture
T1513 Screen Capture — attack.mitre.org
onImageAvailablecopies pixels from the latest rendered image into a Bitmap object. This call enables the malware to capture screenshots of the device screen in real time.Behaviors detected by Quark:
3. T1533 Data from Local System
T1533 Data from Local System — attack.mitre.org
FindByMailcallsgetAllContactsto read records from a content provider viaContentResolver, iterating the returned cursor. Both are methods of the app's B4AContactsWrapper, indicating the queries target the device's contact database. The behavior map evidences these generic content-provider reads; it does not pin down a specific field such as email address.Behaviors detected by Quark:
List of Tested APKs
The table below lists the APKs we tested.