Malware Threat Identification

Malwarelytics for Android is capable to list and analyze apps installed on the device (both preloaded and user-installed).

Malware identification happens both locally and remotely.

The SDK contains a small engine that analyzes installed apps locally and downloads suggestions (remote evaluations) that are provided by the backend server. Both types of information are used to evaluate the apps installed on the device.

Evaluation of Apps

When Smart Protection is enabled, apps installed on the device are evaluated automatically. Nevertheless, the SDK offers ways to evaluate them manually as well. This can be done with a simple call:

val evaluatedList = antivirus.evaluateThreats()

The list in response contains evaluated ApkThreat instances that provide information about any threats.

Threat Index

The SDK categorizes the level of threat that each app potentially poses to other apps, the device and the user. Five levels of threat (threat index) are recognized:

Threat Index Description
SAFE Apps that are harmless.
POTENTIALLY_UNWANTED_APPS Generally harmless apps that request and utilize potentially problematic permissions or system features.
DANGEROUS Apps that are problematic in some way but not especially harmful to other apps or the device user. Typical examples are adware, scareware, risktool or non-malicious packed app.
HIGHLY_DANGEROUS Apps that are dangerous and harmful but the potential damage is not that high. These apps typically utilize system resources in an undesired or annoying manner. Typical examples are riskware or hidden adwares (Hiddad).
MALWARE Malware apps that are extremely dangerous and harmful. Typical examples are trojan, trojan-banker, backdoors or spyware.

Apps are recommended to perform some kind of mitigation when an app on the device is categorized as HIGHLY_DANGEROUS or MALWARE.

Threat Reason

The SDK also pinpoints some problematic features and provides some other important information about analyzed apps.

Threat Reason Description
ACCESSIBILITY The app has access to accessibility. It can see contents of other apps or perform actions on its own. This means it can potentially see the contents of your app and perform actions in other apps without the user knowing.
SMS_ACCESS The app has access to text message contents. This is especially problematic when sensitive data such as authorization codes are delivered via SMS.
SCREEN_OVERRIDE The app can override the UI of other apps. This means it can potentially provide fake UI that imitates other apps.
INSTALLER The app can request installation of other apps. This can potentially lead to installation of harmful apps coming from outside Google Play.
UNINSTALLER The app can request uninstallation of other apps. Malware apps can use this to get rid of obstacles such as antivirus apps. Alternatively, in combination with installer capabilities, they can replace a genuine app with a fake one.
EVADER The app tries to hide its code. It uses advanced techniques, such as hiding classes (including public API classes) and loading them at runtime. This technique is frequently used by malware.
OUTSIDE_GOOGLE_PLAY The app was not installed from Google Play. This reason has rather low significance because there are other app stores (many OEMs have their own stores) and because it can be spoofed.
CALLER The app can play with your calls — for instance, it can set up call forwarding.
PRELOADED_APP The app is preloaded on the device. Informative.
PRIVILEGED_APP The app has extended (system) privileges. Informative.
DEVELOPMENT_OR_TEST The app is a development build or it is a test. These apps usually only appear on devices meant for development. Normally they should not be present on most end-user devices. Informative.

More Information

There are some other bits of information the SDK can provide.

Installer Recognition

The SDK recognizes a few frequently used installers. Besides Google Play installs, it can identify a few other popular Android stores.

Malware Family Detection

In some cases, the SDK is able to locally determine the name of a detected malware family.

Malware Flags from Server

In some cases, the SDK obtains extra suggested flags from the server.

Malware Flag Description
MALWARE_TYPE Determines a type of malware such as Trojan, Banker, Spyware, Adware and many others.
MALWARE_FAMILY Determines a named family of malware. Examples: Cerberus, Anubis, Triada.

There might be any number of MALWARE_TYPE and MALWARE_FAMILY flags for each application.

The SDK provides an utility method apkThreat.isBanker() that simplifies identification whether the app is flagged as a Banker malware.

Last updated on Aug 31, 2022 (19:15) View product


Malwarelytics for Android