Behavior not detected when the data flow propagates through member fields

[zinwang]

Describe the bug

A behavior is not detected by Quark for an APK (SHA256: 2aeef8181f0babf1756cd4d415920241ca51bdd9bd9e1dfc3b2a587b2ca6d53b), although the behavior exists in the decompiled code. The summary report is attached below.

The Quark rule used for detecting this behavior:

{
    "crime": "Create a window and add a view to it",
    "permission": [],
    "api": [
        {
            "descriptor": "()V",
            "class": "Landroid/view/WindowManager$LayoutParams;",
            "method": "<init>"
        },
        {
            "descriptor": "(Landroid/view/View; Landroid/view/ViewGroup$LayoutParams;)V",
            "class": "Landroid/view/WindowManager",
            "method": "addView"
        }
    ],
    "score": 2.11,
    "label": []
}

In the ir.indoria.fiktir.FxService class, the result of Landroid/view/WindowManager$LayoutParams;-><init>()V is stored in a member field (this.wmParams) instead of a register. Consequently, Quark fails to track the data flow between the two API calls, resulting in the behavior not being detected.

To Reproduce

Steps to reproduce the behavior:

1. Download the APK and the Quark rule
2. Run quark -a <PATH_TO_THE_APK> -s <PATH_TO_THE_RULE>
3. Check the summary report

Expected behavior

Quark should detect the behavior with 100% confidence.

Possible Solution
Implement a mechanism for tracking data flow through member fields.