Anti-Malware Feature Overview
The Anti-Malware feature of Malwarelytics for Android provides a malware detection engine that evaluates other apps that are installed on the mobile device. This feature offers the following functionalities:
- Malware Threat Identification
- Malware Threat Mitigation
- Listening to App Changes
- Installer identification
- Smart Protection
- Smart Protection UI Customization
Configuration
In order to use the Anti-Malware component, it has to be configured first.
This can be done via the AntivirusConfig
which is a part of AppProtectionConfig
:
var config = AppProtectionConfig.Builder(appContext)
.antivirusConfig(
AntivirusConfig.Builder()
// Anti-Malware feature configuration
.build()
)
// other Malwarelytics configuration
.build()
Configuration Options
The configuration offers several items:
val antivirusConfig = AntivirusConfig.Builder()
.enableAntivirus(Boolean)
.useDefaultSuggestions(Boolean)
.smartProtectionConfig(smartProtectionConfig)
.setThreatMitigationUIConfig(threatMitigationUIConfig)
.setForegroundServiceNotificationFactory(notificationFactory)
.build()
Method | Description |
---|---|
enableAntivirus(Boolean) |
defines whether the whole Anti-Malware feature is enabled. Defaults to true . |
useDefaultSuggestions(Boolean) |
determines if the detection engine should apply a list of built-in suggestions upon initialization. Defaults to true . |
smartProtectionConfig(smartProtectionConfig) |
configures automatic detection behavior of the Smart Protection feature. Defaults to DefaultNotificationFactory . |
setThreatMitigationUIConfig(threatMitigationUIConfig) |
customizes UI of Smart Protection elements |
setForegroundServiceNotificationFactory(notificationFactory) |
implements foreground notification creation |
Disabled Anti-Malware Feature
In case the Anti-Malware feature isn’t desired it can be disabled as a whole in config by setting enableAntivirus(false)
. When disabled, the Antivirus
class and all the related code cannot be accessed and used. Using it will likely result in an exception.
To enable the Anti-Malware feature again, the whole SDK has to be released and re-initialized with a config enabling the Anti-Malware feature.
More details about configuration change can be found in the Configuration section.
Suggestions
Suggestions are backend-provided evaluations. They greatly improve limited local evaluation and help to avoid false positives and false negatives.
The config item useDefaultSuggestions(Boolean)
tells the engine to apply a list of built-in local suggestions right after the initialization. This is a very short list of suggestions that mitigate some of the high-profile false positives.
Smart Protection
Smart protection is a set of automatic detection behavior patterns. Their configuration is defined by the smartProtectionConfig(SmartProtectionConfig)
config item.
More details can be found in the Smart Protection section.
Smart Protection UI Customization
The UI of Smart Protection elements can be customized via the setThreatMitigationUIConfig(ThreatMitigationUiConfig)
.
More details can be found in the Smart Protection UI Customization section.
Foreground Service Notifications
The Android OS requires apps to be visible to users. This means that an app has to create a notification in order to be able to do some background processing. Since evaluating other apps takes a non-zero amount of time, Malwarelytics has to create such notification in some cases.
NotificationFactory
is an interface for creating notifications needed by the SDK. To simplify integration, Malwarelytics for Android contains a default implementation in the DefaultNotificationFactory
class. Nevertheless, creating a custom implementation and providing it through the setForegroundServiceNotificationFactory(NotificationFactory)
is recommended. When a notification is necessary, the SDK invokes the createNotification(Context)
method of the provided notification factory. That way, the app developer has control over the notification appearance.
When implementing NotificationFactory
it’s strongly recommended to turn off notification sounds and vibrations in order not to bother and distract the user.
Example Implementation of NotificationFactory:
class ExampleNotificationFactory : NotificationFactory {
override fun createNotification(context: Context): Notification {
val channelId = "some-channel-id"
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
// we have to create a notification channel first
val chan = NotificationChannel(
channelId,
context.getString(R.string.some_notification_channel_name),
NotificationManager.IMPORTANCE_LOW
)
chan.lockscreenVisibility = Notification.VISIBILITY_PRIVATE
chan.setSound(null, null)
chan.enableVibration(false)
chan.setShowBadge(false)
val service =
context.getSystemService(Context.NOTIFICATION_SERVICE) as NotificationManager
service.createNotificationChannel(chan)
}
val builder = NotificationCompat.Builder(
context, channelId
)
.setSmallIcon(R.drawable.some_notification_icon)
.setContentTitle(context.getString(R.string.some_notification_content_title))
.setContentText(context.getString(R.string.some_notification_content_text))
.setPriority(NotificationCompat.PRIORITY_DEFAULT)
return builder.build()
}
}
Runtime Usage
After initialization, the main access point for all Anti-Malware features is an instance of the Antivirus
class. This can be obtained by calling:
val antivirus = appProtection.getAntivirus()
The Antivirus
class provides methods for threat identification and getters for obtaining managers. These managers handle various anti-malware subtopics such as smart protection, suggestions, and mitigations.
Smart Protection
SmartProtectionManager
allows extra calls to Smart Protection. This manager can be obtained from the Antivirus
instance:
val smartProtectionManager = antivirus.getSmartProtectionManager()
The manager allows the app to perform extra Smart Protection updates. The updates are performed in accordance with the configuration specified in the SDK initialization.
val performOnlineUpdate = true
smartProtectionManager.performSingleSmartProtectionUpdate(performOnlineUpdate)
The optional argument indicates whether suggestions from the backend server should be updated to get the latest and most precise data.
The manager also offers to change the default localization of UI components through the setCustomLocalization(String)
method.
More details on this topic can be found in the Smart Protection UI Customization section.
Suggestions
In certain cases, adjusting suggestions locally can come in handy. This can be done via the SuggestionManager
which can be obtained from the Antivirus
instance:
val suggestionManager = antivirus.getSuggestionManager()
Afterwards, suggestions for a certain app, identified by its package name (application ID) and signature hash, can be set:
suggestionManager.setAppSuggestedThreatIndex(packageName, certSha1Hash, suggestedThreatIndex)
Alternatively, suggestions for a group of apps with the same signature hash can be set:
suggestionManager.setCertificateSuggestedThreatIndex(certSha1Digest, suggestedThreatIndex)
Threat Mitigations
Threat mitigations are accessible via the MitigationManager
that can be obtained from the Antivirus
instance:
val mitigationManager = antivirus.getMitigationManager()
More details on mitigations are described in the Malware Threat Mitigation section.