Add new Quark rules for Godfather malware detection

[pulorsok]

New Quark Rules For godfather

New Quark rule (#274) is now available. This rule targets godfather. Check here for the rule details.

With these rules, Quark is now able to identify the godfather malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. See tested APKs below.

Identified Well-Known Threats

This section uses MITRE ATT&CK Mobile as its reference taxonomy. The table below lists every technique documented for GodFather (per software entry S1231 GodFather) alongside how each manifests in real-world campaigns — all of which the current Quark rule set can detect statically from APK bytecode.

MITRE Technique	Real-world manifestation
T1418 Software Discovery	Enumerating installed banking and cryptocurrency apps to select overlay targets
T1417 Input Capture	Harvesting credentials and payment card data via accessibility service keylogging
T1516 Input Injection	Automating fraudulent transactions by simulating taps and gestures through accessibility APIs
T1582 SMS Control	Intercepting SMS-based two-factor authentication codes to bypass account protections
T1616 Call Control	Blocking or redirecting incoming calls from banks to evade fraud alerts
T1624 Event Triggered Execution	Launching overlay attacks when targeted banking applications are opened by user
T1629 Impair Defenses	Disabling Google Play Protect and preventing uninstallation via device administrator privileges

All behavior maps below were rendered from sample 0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8.apk — chosen as the representative sample whose detected behaviors most fully cover the documented profile of GodFather. The other 11 family samples were used to compute the accuracy and precision figures above.

Each section below corresponds to one technique from the table above. Within each section we first quote the MITRE definition, then show the Quark behavior map extracted from the representative sample's bytecode, then walk through the call sequence and list the underlying rules.

1. T1418 Software Discovery

T1418 Software Discovery — attack.mitre.org

MITRE definition (T1418): Adversaries may attempt to get a listing of applications that are installed on a device.

number_task calls getApps to enumerate installed applications and store the list in shared preferences. Together, these calls enable the malware to discover and persist a complete inventory of software present on the device.

Behaviors detected by Quark:

• Get installed applications and put the list in shared preferences (Update setup.py to latest click version #170)
• Enumerate installed applications (Error on GitHub actions Windows VM #264)

2. T1417 Input Capture

T1417 Input Capture — attack.mitre.org

MITRE definition (T1417): Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes.

onAccessibilityEvent calls two helpers to query UI nodes by ID and text, check view content, and perform actions on accessibility node info. Together, these calls enable automated inspection and interaction with UI elements in the active window.

Behaviors detected by Quark:

• Use accessibility service to perform action getting node info by text (Quark doesn't detect that the output of first API is the input of the second API  #159)
• Use accessibility service to perform action getting node info by View Id (Detect APIs in the extended classes #160)
• Perfom accessibility service action on accessibility node info (A workaround for tracing objects. #161)
• Use accessibility service to perform action getting root in active window (Choose one rule or label to be analyzed in summary or detailed output + more Rules info in output #167)
• Check if the text of the view contains the given string (Add a Rizin-based core library (Sourcery refactored) #206)
• Check if the resource name of the view contains the given string (Improve the tainted analysis of Quark #207)

3. T1582 SMS Control

T1582 SMS Control — attack.mitre.org

MITRE definition (T1582): Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do.

onReceive calls SMRC to monitor incoming SMS messages and extract sender phone numbers and message content. Together, these calls enable the receiver to intercept and inspect SMS data as it arrives on the device.

Behaviors detected by Quark:

• Monitor the general action to be performed (fixs logo for being intercepted #25)
• Query the phone number from SMS sender (Bugfix for issue #46 #49)
• Check if the content of SMS contains given string (Quark engine does not report the same risk based on threshold #118)
• Monitor incoming SMS message (Fix pytest.xml #234)

4. T1616 Call Control

T1616 Call Control — attack.mitre.org

MITRE definition (T1616): Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.

onCreate constructs an implicit intent with a phone number and initiates a phone call via setData. Combined, these APIs enable the activity to programmatically place outbound calls without user interaction.

Behaviors detected by Quark:

• Implicit intent(view a web page, make a phone call, etc.) via setData (fixes bug issue in #50 #51)
• Make a phone call (Have Click as an optional dependency #202)
• Put a phone number into an intent (Make Apkinfo implement the standard APK interface #203)

5. T1624 Event Triggered Execution

T1624 Event Triggered Execution — attack.mitre.org

MITRE definition (T1624): Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.

The behavior map above shows GodFather subscribing to the incoming-SMS broadcast — Android's SMS_RECEIVED is one of the canonical "specific events" called out in the MITRE definition, and the malware uses it as a trigger for execution. onReceive monitors the general action performed and incoming SMS messages, enabling the receiver to detect and respond to SMS arrival events in real time.

Behaviors detected by Quark:

• Monitor the general action to be performed (fixs logo for being intercepted #25)
• Monitor incoming SMS message (Fix pytest.xml #234)

6. T1629 Impair Defenses

T1629 Impair Defenses — attack.mitre.org

MITRE definition (T1629): Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior.

The behavior map above shows GodFather deleting SMS via content URIs — a concrete instance of impairing the user's ability to audit communication activity (matching the MITRE definition's phrase "detection capabilities defenders can use to audit activity"). DelSent deletes media specified by content URIs, including SMS, erasing traces of communication activity.

Behaviors detected by Quark:

• Deletes media specified by a content URI(SMS, CALL_LOG, File, etc.) (Porting androguard to quark-engine #52)

List of Tested APKs

The table below lists the APKs we tested.

index	sha256
1	0B72C22517FDEFD4CF0466D8D4C634CA73B7667D378BE688EFE131AF4AC3AED8
2	138551CD967622832F8A816EA1697A5D08EE66C379D32D8A6BD7FCA9FDEAECC4
3	20116083565A50F6B2DB59011E9994E9A9F5DB5994703D53233B8B202A5AD2F3
4	3BBEF6F36E2E673DF2620A01463F9B598D0F70C76F450601EC29873D8EBA5B7A
5	3D4F63FC88EC8A4DFC9A5C3FEE1A59DED40BBB2F4F04ED937C135B144E8A166D
6	58D335B2FD86126AB18CFBECD117C7700D154A2473CC1BDD507C0F57FA7052E3
7	6E0D01C4C547D235C247A6D0719F2ACA2D4996AE78DF4B671275914A9E3FD2D3
8	75CC07A1AF57D9D2A9A06840A25D1B9B368B1DDD57D98BAC9A5A5F2F4D0D931D
9	9DFB5B4AD9AAC36C2D7FBB93F8668FAA819CB0DF16F4A55D00F1CDDA89C9A6D2
10	A14AAD1265EB307FBE71A3A5F6E688408CE153FF19838B3C5229F26EE3ECE5DD
11	A6ED100AE42E4FDABFD1B4C992762152BC4A11CC8E521B647B444C75BB7A9782
12	C2BCCFC8B3BDF2DA5FB5C22055A9C4859256BE7904933E9E0B92FA31FD0420D3

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.40%. Comparing base (dbe6d54) to head (f708546).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #915   +/-   ##
=======================================
  Coverage   81.40%   81.40%           
=======================================
  Files          80       80           
  Lines        6969     6969           
=======================================
  Hits         5673     5673           
  Misses       1296     1296           

Flag	Coverage Δ
unittests	81.40% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[haeter525]

LGTM.