Proj 11: Qark (15 pts)

What You Need for This Project


To practice using Qark, an Android vulnerability scanner from LinkedIn.

Installing Qark

On Kali, in a Terminal, execute these commands:
git clone
cd qark
pip install -r requirements.txt
pip install . 
qark --help
You see a Qark help message, as shown below.

Connecting to your Android Device with ADB

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:
adb connect
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Pulling the GenieMD APK from the Phone

You should already have the GenieMD app installed. If you don't, get it from Google Play, as shown below.

To see the complete package name, on Kali, execute this command:

adb shell pm list packages | grep genie
The reply shiows the package name, as shown below. Use that package name in the next command to get the APK path:
adb shell pm path com.geniemd.geniemd.harvard
The reply shiows the full path to the APK. Use that path in the next command to pull the APK file:
adb pull /data/app/com.geniemd.geniemd.harvard-A0xnv6wdqwqLoAAgXh3GqA==/base.apk
The file downloads into Kali, as shown below.

Scanning the APK with Quark

On Kali, execute this command:
qark --apk base.apk
Qark takes about 10 minutes to unpack all the code and scan it, ending with the path to a report file, as shown below.

After the report is generated, move it to a more convenient location and name with this command:

mv /usr/local/lib/python2.7/dist-packages/qark/report/report.html genie.html

Viewing the Report

On your Kali desktop, on the left side, click the folder icon.

Navigate to the genie.htm file, as shown below, and double-click it.

The report opens in Firefox, as shown below.

Type Ctrl+F and search for cert to find the SSL certificate validation error, as shown below.

Saving a Screen Image

Make sure you can see "WARNING Unsafe implementation of onReceivedSslError", as shown above.

Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.


Save the image with the filename "YOUR NAME Proj 11", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to to with the subject line: Proj 11 from YOUR NAME


Android Penetration Tools Walkthrough Series: QARK

Posted 1-24-19 by Sam Bowne