Anti-Malware Feature Overview

View product v0.23.0

The Anti-Malware feature of Malwarelytics for Android provides a malware detection engine that evaluates other apps that are installed on the mobile device. This feature offers the following functionalities:

Configuration

In order to use the Anti-Malware component, it has to be configured first. This can be done via the AntivirusConfig which is a part of AppProtectionConfig:

var config = AppProtectionConfig.Builder(appContext)
    .antivirusConfig(
        AntivirusConfig.Builder()
            // Anti-Malware feature configuration
            .build()
    )
    // other Malwarelytics configuration
    .build()

Configuration Options

The configuration offers several items:

val antivirusConfig = AntivirusConfig.Builder()
                .enableAntivirus(Boolean)
                .useDefaultSuggestions(Boolean)
                .smartProtectionConfig(smartProtectionConfig)
                .setThreatMitigationUIConfig(threatMitigationUIConfig)
                .setForegroundServiceNotificationFactory(notificationFactory)
                .build()

Method	Description
`enableAntivirus(Boolean)`	defines whether the whole Anti-Malware feature is enabled. Defaults to `true`.
`useDefaultSuggestions(Boolean)`	determines if the detection engine should apply a list of built-in suggestion upon initialization. Defaults to `true`.
`smartProtectionConfig(smartProtectionConfig)`	configures automatic detection behavior of the Smart Protection feature. Defaults to `DefaultNotificationFactory`.
`setThreatMitigationUIConfig(threatMitigationUIConfig)`	customizes UI of Smart Protection elements
`setForegroundServiceNotificationFactory(notificationFactory)`	implements foreground notification creation

Disabled Anti-Malware Feature

In case Anti-Malware feature isn’t desired it can be disabled as a whole in config by setting enableAntivirus(false). When disabled, the Antivirus class and all the related code cannot be accessed and used. Using it will likely result in an exception.

In order to enable the Anti-Malware feature again, the whole SDK has to be released and re-initialized with a config enabling the Anti-Malware feature.

More details about configuration change can be found in the Configuration section.

Suggestions

Suggestions are backend-provided evaluations. They greatly improve limited local evaluation and help to avoid false positives and false negatives.

The config item useDefaultSuggestions(Boolean) tells the engine to apply a list of built-in local suggestions right after the initialization. This is a very short list of suggestions that mitigate some the high-profile false positives.

Smart Protection

Smart protection is a set of automatic detection behavior patterns. Their configuration is defined by the smartProtectionConfig(SmartProtectionConfig) config item.

More details can be found in the Smart Protection section.

Smart Protection UI Customization

The UI of Smart Protection elements can be customized via the setThreatMitigationUIConfig(ThreatMitigationUiConfig).

More details can be found in the Smart Protection UI Customization section.

Foreground Service Notifications

The Android OS requires apps to be visible to users. This means that an app has to create a notification in order to be able to do some background processing. Since evaluating other apps takes a non-zero amount of time, it is necessary for Malwarelytics to create such notification in some cases.

NotificationFactory is an interface for creating notifications needed by the SDK. In order to simplify integration, Malwarelytics for Android contains a default implementation in DefaultNotificationFactory class. Nevertheless, creating a custom implementation and providing it through the setForegroundServiceNotificationFactory(NotificationFactory) is recommended. When a notification is necessary, the SDK invokes the createNotification(Context) method of the provided notification factory. That way, the app developer has control over the notification appearance.

When implementing NotificationFactory it’s strongly recommended to turn off notification sounds and vibrations in order not to bother and distract the user.

Example Implementation of NotificationFactory:

class ExampleNotificationFactory : NotificationFactory {

    override fun createNotification(context: Context): Notification {
        val channelId = "some-channel-id"
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
            // we have to create notification channel first
            val chan = NotificationChannel(
                channelId,
                context.getString(R.string.some_notification_channel_name),
                NotificationManager.IMPORTANCE_LOW
            )
            chan.lockscreenVisibility = Notification.VISIBILITY_PRIVATE
            chan.setSound(null, null)
            chan.enableVibration(false)
            chan.setShowBadge(false)
            val service =
                context.getSystemService(Context.NOTIFICATION_SERVICE) as NotificationManager
            service.createNotificationChannel(chan)
        }
        val builder = NotificationCompat.Builder(
            context, channelId
        )
            .setSmallIcon(R.drawable.some_notification_icon)
            .setContentTitle(context.getString(R.string.some_notification_content_title))
            .setContentText(context.getString(R.string.some_notification_content_text))
            .setPriority(NotificationCompat.PRIORITY_DEFAULT)

        return builder.build()
    }
}

Runtime Usage

After initialization, the main access point for all Anti-Malware features is an instance of the Antivirus class. This can be obtained by calling:

val antivirus = appProtection.getAntivirus()

The Antivirus class provides methods for threat identification and getters for obtaining managers. These managers handle various anti-malware subtopics such as smart protection, suggestions and mitigations.

Smart Protection

SmartProtectionManager allows extra calls to Smart Protection. This manager can be obtained from the Antivirus instance:

val smartProtectionManager = antivirus.getSmartProtectionManager()

The manager allows the app to perform extra Smart Protection updates. The updates are performed in accordance with the configuration specified in the SDK initialization.

val performOnlineUpdate = true
smartProtectionManager.performSingleSmartProtectionUpdate(performOnlineUpdate)

The optional argument indicates whether suggestions from the backend server should be updated to get the latest and most precise data.

The manager also offers to change the default localization of UI components through the setCustomLocalization(String) method.

More details on this topic can be found in the Smart Protection UI Customization section.

Suggestions

In certain cases, adjusting suggestions locally can come in handy. This can be done via the SuggestionManager which can be obtained from the Antivirus instance:

val suggestionManager = antivirus.getSuggestionManager()

Afterwards, suggestions for a certain app, identified by its package name (application ID) and signature hash, can be set:

suggestionManager.setAppSuggestedThreatIndex(packageName, certSha1Hash, suggestedThreatIndex)

Alternatively, suggestions for a group of apps with the same signature hash can be set:

suggestionManager.setCertificateSuggestedThreatIndex(certSha1Digest, suggestedThreatIndex)

Threat Mitigations

Threat mitigations are accessible via the MitigationManager that can be obtained from the Antivirus instance:

val mitigationManager = antivirus.getMitigationManager()

More details on mitigations are described in the Malware Threat Mitigation section.

Last updated on Nov 30, 2022 (12:37) View product