Anti-Malware Feature Overview
The Anti-Malware feature of Malwarelytics for Android provides a malware detection engine that evaluates other apps that are installed on the mobile device. This feature offers the following functionalities:
- Malware Threat Identification
- Malware Threat Mitigation
- Listening to App Changes
- Smart Protection
- Smart Protection UI Customization
Configuration
In order to use the Anti-Malware component, it has to be configured first.
This can be done via the AntivirusConfig
which is a part of AppProtectionConfig
:
var config = AppProtectionConfig.Builder(appContext)
.antivirusConfig(
AntivirusConfig.Builder()
// Anti-Malware feature configuration
.build()
)
// other Malwarelytics configuration
.build()
Configuration Options
The configuration offers several items:
val antivirusConfig = AntivirusConfig.Builder()
.useDefaultSuggestions(Boolean)
.smartProtectionConfig(smartProtectionConfig)
.setThreatMitigationUIConfig(threatMitigationUIConfig)
.setForegroundServiceNotificationFactory(notificationFactory)
.build()
Method | Description |
---|---|
useDefaultSuggestions(Boolean) |
determines if the detection engine should apply a list of built-in suggestion upon initialization |
smartProtectionConfig(smartProtectionConfig) |
configures automatic detection behavior of the Smart Protection feature |
setThreatMitigationUIConfig(threatMitigationUIConfig) |
customizes UI of Smart Protection elements |
setForegroundServiceNotificationFactory(notificationFactory) |
implements foreground notification creation |
Suggestions
Suggestions are backend-provided evaluations. They greatly improve limited local evaluation and help to avoid false positives and false negatives.
The config item useDefaultSuggestions(Boolean)
tells the engine to apply a list of built-in local suggestions right after the initialization. This is a very short list of suggestions that mitigate some the high-profile false positives.
Smart Protection
Smart protection is a set of automatic detection behavior patterns. Their configuration is defined by the smartProtectionConfig(SmartProtectionConfig)
config item.
More details can be found in the Smart Protection section.
Smart Protection UI Customization
The UI of Smart Protection elements can be customized via the setThreatMitigationUIConfig(ThreatMitigationUiConfig)
.
More details can be found in the Smart Protection UI Customization section.
Foreground Service Notifications
The Android OS requires apps to be visible to users. This means that an app has to create a notification in order to be able to do some background processing. Since evaluating other apps takes a non-zero amount of time, it is necessary for Malwarelytics to create such notification in some cases.
NotificationFactory
is an interface for creating notifications. Creating an implementation and providing it through the setForegroundServiceNotificationFactory(NotificationFactory)
is recommended. When a notification is necessary, the SDK invokes the createNotification(Context)
method of the provided notification factory. That way, the app developer has control over the notification appearance.
Runtime Usage
After initialization, the main access point for all Anti-Malware features is an instance of the Antivirus
class. This can be obtained by calling:
val antivirus = appProtection.getAntivirus()
The Antivirus
class provides methods for threat identification and getters for obtaining managers. These managers handle various anti-malware subtopics such as smart protection, suggestions and mitigations.
Smart Protection
SmartProtectionManager
allows extra calls to Smart Protection. This manager can be obtained from the Antivirus
instance:
val smartProtectionManager = antivirus.getSmartProtectionManager()
The manager allows the app to perform extra Smart Protection updates. The updates are performed in accordance with the configuration specified in the SDK initialization.
val performOnlineUpdate = true
smartProtectionManager.performSingleSmartProtectionUpdate(performOnlineUpdate)
The optional argument indicates whether suggestions from the backend server should be updated to get the latest and most precise data.
The manager also offers to change the default localization of UI components through the setCustomLocalization(String)
method.
More details on this topic can be found in the Smart Protection UI Customization section.
Suggestions
In certain cases, adjusting suggestions locally can come in handy. This can be done via the SuggestionManager
which can be obtained from the Antivirus
instance:
val suggestionManager = antivirus.getSuggestionManager()
Afterwards, suggestions for a certain app, identified by its package name (application ID) and signature hash, can be set:
suggestionManager.setAppSuggestedThreatIndex(packageName, certSha1Hash, suggestedThreatIndex)
Alternatively, suggestions for a group of apps with the same signature hash can be set:
suggestionManager.setCertificateSuggestedThreatIndex(certSha1Digest, suggestedThreatIndex)
Threat Mitigations
Threat mitigations are accessible via the MitigationManager
that can be obtained from the Antivirus
instance:
val mitigationManager = antivirus.getMitigationManager()
More details on mitigations are described in the Malware Threat Mitigation section.