You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
New Quark rules (#247 - #251) are now available. These rules target `PhantomCard <https://www.threatfabric.com/blogs/phantomcard-new-nfc-driven-android-malware-emerging-in-brazil>`_\ , a malware family that communicates with C2 servers, reads the payment data of NFC cards, and captures PINs of NFC cards through deceptive screens. Check `here <https://github.com/ev-flow/quark-rules>`_ for the rule details.
1016
+
1017
+
With these rules, Quark is now able to identify the PhantomCard malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here <list-of-tested-apks-phantomcard>` for the APKs we tested.
1018
+
1019
+
Below is a summary report of a PhantomCard sample (\ ``5769ae3cc93943dda4d1743f2febf6cec1282a0a6289da68cb55bb4724ec9332``\ ). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.
With Quark's `rule classification <https://quark-engine.readthedocs.io/en/latest/quark_reports.html#rule-classification>`_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from PhantomCard, as shown below.
1031
+
1032
+
**1. Communicate with C2 servers**
1033
+
1034
+
1035
+
.. image:: https://i.postimg.cc/6qqQcXDG/c2.png
1036
+
:target:https://i.postimg.cc/6qqQcXDG/c2.png
1037
+
:alt:
1038
+
1039
+
1040
+
The behavior map reveals that the ``Ls1/j;doInBackground`` function establishes a connection to an IP address, which could be a malicious C2 server.
1041
+
1042
+
Behaviors detected by Quark:
1043
+
1044
+
1045
+
* Establish a connection to an IP address (#00247)
1046
+
1047
+
**2. Read the payment data of NFC cards**
1048
+
1049
+
1050
+
.. image:: https://i.postimg.cc/9QFmVVxY/nfc.png
1051
+
:target:https://i.postimg.cc/9QFmVVxY/nfc.png
1052
+
:alt:
1053
+
1054
+
1055
+
The behavior map reveals that the ``Lt1/c;b`` function establishes a connection to an NFC card and reads the payment data stored in it.
1056
+
1057
+
Behaviors detected by Quark:
1058
+
1059
+
1060
+
* Establish a connection to an NFC card (#00248)
1061
+
* Read the payment data stored in an NFC card (#00249)
1062
+
1063
+
**3. Captures PINs of NFC cards through deceptive screens**
1064
+
1065
+
1066
+
.. image:: https://i.postimg.cc/xT2QtP2Y/ui.png
1067
+
:target:https://i.postimg.cc/xT2QtP2Y/ui.png
1068
+
:alt:
1069
+
1070
+
1071
+
The behavior map reveals that the ``Le/r;onReceive`` function creates a UI layout and listens for user clicks on a UI element. If the UI layout is deceptive, users could be deceived into entering their NFC card PINs. Subsequently, the app could harvest the PINs by listening for user clicks on UI elements such as keypad buttons.
0 commit comments