App Presence Detection

Some mobile applications, while being legitimate apps with their use cases, pose a great danger to banking and fintech applications. Such apps are often used to scam users and perform financial fraud.

An important category of these apps are so-called “remote desktop apps”. These apps allow remote access and control of mobile devices. Unfortunately, these apps recently became a vital part of many fraudulent attacks.

Malwarelytics for Android is able to detect unwanted remote desktop apps and can be configured to terminate the app in case an unwanted app is detected.

Configuration

This feature can be configured during the Malwarelytics initialization phase:

val raspConfig = RaspConfig.Builder()
    .appPresence(
        AppPresenceDetectionConfig.Builder()
            .action(DetectionConfig)
            .remoteDesktopApps(Collection<AppPresenceDetectionConfig.NamedApkItem>)
            .build()
    )
    // configuration of other RASP features
    .build()
Method Description
action(DetectionConfig) specifies the automatic behavior of the app presence detection feature. Defaults to DetectionConfig.Notify.
remoteDesktopApps(
Collection<NamedApkItem>)
defines a collection of unwanted apps capable of providing remote desktop functionality. The default value is AppPresenceDetectionConfig.DEFAULT_REMOTE_DESKTOP_APPS.

Available values of DetectionConfig:

Value Description
NoAction indicates that unwanted apps will not be automatically detected. A manual check is still possible.
Notify indicates that unwanted apps will be automatically detected and observers will be notified. Observers will be notified only if remoteDesktopApps is not empty.
Exit(
exitUrl:String?)
indicates that unwanted apps will be automatically detected and the app will be terminated when an unwanted app is automatically detected. Works only if remoteDesktopApps is not empty.

Unwanted apps can be specified either by their package name or by their package name and signature. Each unwanted app is expected to be named. The name is then returned in detection and passed to the remote console (in case Malwareltics for Android are used in online mode).

Example specification of unwanted apps:

val unwantedApps = listOf(
    NamedApkItem("Unwanted app 1", "com.example.abadremotedesktopapp"),
    NamedApkItem("Unwanted app 2", "com.example.anotherremotedesktopapp", "abcdef...1234"),
)

Usage

After initialization, the app presence detection feature can be accessed via RaspManager. This can be used to register an observer or to trigger a manual app presence detection check.

Registering an Observer

App presence detection can trigger a certain action. To achieve that, an observer needs to be configured and registered.

Observer configuration:

val raspObserver = object : RaspObserver {
    override fun onAppPresenceChanged(appPresenceDetection: AppPresenceDetection) {
        // handle app presence detection
    }
    // handle detection of other RASP features
}

The observer can be registered in RaspManager. When it is no longer needed, it can be unregistered again.

raspManager.registerRaspObserver(raspObserver)
raspManager.unregisterRaspObserver(raspObserver)

Triggering a Manual Check

App presence detection check can be triggered manually in RaspManager by calling the getAppPresenceDetection() method.

val appPresenceDetection = raspManager.getAppPresenceDetection()

The returned data class has the property remoteDesktopApps, a collection of installed apps, a subset of those that were defined in the configuration.

More information on general RASP feature configuration and usage can be found in this overview.

Application Visibility

Malwarelytics for Android uses sensitive android.permission.QUERY_ALL_PACKAGES permission. Thanks to the permission the SDK can see all the apps installed on the device and can therefore detect the unwanted apps.

The permission android.permission.QUERY_ALL_PACKAGES is sensitive and requires Google Play Prominent Disclosure. The app can replace the sensitive permission with a list of package queries to see certain apps:

<queries>
    <package android:name="com.example.unwantedapp1" />
    <package android:name="com.example.unwantedapp2" />
    <!-- package names (android IDs) of other unwanted apps -->
</queries>

In case of the usage of package queries, it’s necessary to add a package query for every app added in AppPresenceDetectionConfig.

Without usage of either the QUERY_ALL_PACKAGES permission or package queries Malwarelytics for Android isn’t able to see and detect an unwanted app.

Multiple Device Users

An unwanted app can be installed on the device and still be invisible to the app presence detection. This will happen for apps installed under a different device user and for apps installed in protected app space. Malwarelytics for Android is able to see only the apps installed under the same user and in the same protected app space.

More about multiple users and protected app spaces can be read in Malware Threat Identification

Last updated on Nov 22, 2023 (10:47) View product
Search

1.0.x

Malwarelytics for Android