https://github.com/ev-flow/quark-engine
https://github.com/ev-flow/quark-engine
android blackbox blackhat defcon malware-analysis malware-detection
Last synced: about 1 month ago
JSON representation
- Host: GitHub
- URL: https://github.com/ev-flow/quark-engine
- Owner: ev-flow
- License: gpl-3.0
- Created: 2019-10-22T01:19:27.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2026-05-02T14:19:09.000Z (about 1 month ago)
- Last Synced: 2026-05-02T15:31:51.314Z (about 1 month ago)
- Topics: android, blackbox, blackhat, defcon, malware-analysis, malware-detection
- Language: Python
- Homepage: https://doc.quark-engine.com
- Size: 10.8 MB
- Stars: 1,671
- Watchers: 39
- Forks: 201
- Open Issues: 73
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome - ev-flow/quark-engine - (Python)
- awesome-ai-agents - ev-flow/quark-engine - Quark Agent is an AI-powered tool that enables natural language-based Android APK vulnerability and malware analysis through automated script generation and intuitive workflow design. (Web Automation and UI Interaction / Browser Automation)
README
## Malware Family Analysis Report Showcase
| Family | Summary | Signature Behaviors | Report |
|-------------|----------------------------------------------------|--------------------------|--------|
| DroidKungFu | Privilege escalation with C2 control. | 1. Gain unlimited access to a device.
2. Install/Uninstall additional apps.
3. Forward confidential data. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-droidkungfu) |
| GoldDream | SMS/call log exfiltration with remote C2 commands. | 1. Monitor SMS messages and phone calls.
2. Upload SMS messages and phone calls to remote servers. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-golddream) |
| SpyNote | Credential theft and device surveillance via RAT. | 1. Take screenshots.
2. Simulate user gestures.
3. Log user input.
4. Communicate with C2 servers. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-spynote) |
| DawDropper | Dropper that installs banking trojans for financial theft. | 1. Download APKs from remote servers.
2. Install additional APKs. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-dawdropper) |
| SLocker | Android ransomware locking/encrypting devices. | 1. Lock the device with an overlay screen. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-slocker) |
| PhantomCard | NFC relay–based financial fraud. | 1. Communicate with C2 servers.
2. Read the payment data of NFC cards.
3. Captures PINs of NFC cards through deceptive screens. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-phantomcard) |
| ToxicPanda | Banking trojan enabling on-device fraud. | 1. Abuse Accessibility.
2. Remote device control.
3. Intercept OTP. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-toxicpanda) |
| Hydra | Banking trojan using overlay attacks. | 1. Overlay credential theft.
2. Accessibility abuse.
3. Steal OTP/cookies. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-hydra) |
| SharkBot | Banking trojan targeting financial credentials and transactions. | 1. Abuse Accessibility services.
2. Perform overlay attacks to steal credentials.
3. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-sharkbot) |
| Antidot | Banking trojan disguised as legitimate updates for financial data theft. | 1. Intercept SMS messages (OTP).
2. Log user input (keylogging).
3. Enable remote control via C2. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-antidot) |
| Arsink | Banking trojan focusing on credential and financial data exfiltration. | 1. Steal sensitive data from device.
2. Intercept SMS messages (OTP). | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-arsink) |
| TrickMo | Banking trojan using overlay attacks and accessibility abuse for credential theft. | 1. Overlay attacks to steal banking credentials.
2. Intercept SMS for 2FA bypass.
3. Screen recording and accessibility abuse.
4. Dynamic payload loading via reflection. | [View](https://quark-engine.readthedocs.io/en/latest/quark_rules.html#new-quark-rules-for-trickmo) |
## Quick Start
### Step 1. Install via PyPi
Install the latest version of Quark Engine:
```bash
$ pip3 install -U quark-engine
```
### Step 2. Download Latest Rules
Fetch the latest rule database:
```bash
$ freshquark
```
### Step 3. Run Summary Report
Analyze an APK with the downloaded rules and generate a summary report:
```bash
$ quark -a -s
```
### Step 4. View Results
Example output:
## Acknowledgments
### The Honeynet Project
### Google Summer Of Code
Quark-Engine has been participating in the GSoC under the Honeynet Project!
* 2021:
* [YuShiang Dang](https://twitter.com/YushianhD): [New Rule Generation Technique & Make Quark Everywhere Among Security Open Source Projects](https://github.com/ev-flow/ref/blob/main/GSoC-2021-YuShiangDang.md)
* [Sheng-Feng Lu](https://twitter.com/haeter525): [Replace the core library of Quark-Engine](https://github.com/ev-flow/ref/blob/main/GSoC-2021-ShengFengLu.md)
Stay tuned for the upcoming GSoC! Join the [Honeynet Slack chat](https://gsoc-slack.honeynet.org/) for more info.
## Core Values of Quark Engine Team
* We love **battle fields**. We embrace **uncertainties**. We challenge **impossibles**. We **rethink** everything. We change the way people think. And the most important of all, we benefit ourselves by benefit others **first**.