Malware Threat Identification
Malwarelytics for Android is capable to list and analyze apps installed on the device (both preloaded and user-installed).
Malware identification happens both locally and remotely.
The SDK contains a small engine that analyzes installed apps locally and downloads suggestions (remote evaluations) that are provided by the backend server. Both types of information are used to evaluate the apps installed on the device.
Evaluation of Apps
When Smart Protection is enabled, apps installed on the device are evaluated automatically. Nevertheless, the SDK offers ways to evaluate them manually as well. This can be done with a simple call:
val evaluatedList = antivirus.evaluateThreats()
The list in response contains evaluated ApkThreat instances that provide information about any threats.
Threat Index
The SDK categorizes the level of threat that each app potentially poses to other apps, the device, and the user. Five levels of threat (threat index) are recognized:
| Threat Index | Description |
|---|---|
| SAFE | Apps that are harmless. |
| POTENTIALLY_UNWANTED_APPS | Generally harmless apps that request and utilize potentially problematic permissions or system features. |
| DANGEROUS | Apps that are problematic in some way but not especially harmful to other apps or the device user. Typical examples are adware, scareware, risktool or non-malicious packed app. |
| HIGHLY_DANGEROUS | Apps that are dangerous and harmful but the potential damage is not that high. These apps typically utilize system resources in an undesired or annoying manner. Typical examples are riskware or hidden adware (Hiddad). |
| MALWARE | Malware apps that are extremely dangerous and harmful. Typical examples are trojan, trojan-banker, backdoors or spyware. |
Apps are recommended to perform some kind of mitigation when an app on the device is categorized as HIGHLY_DANGEROUS or MALWARE.
Threat Reason
The SDK also pinpoints some problematic features and provides some other important information about analyzed apps.
| Threat Reason | Description |
|---|---|
| ACCESSIBILITY | The app has access to accessibility. It can see the contents of other apps or perform actions on its own. This means it can potentially see the contents of your app and perform actions in other apps without the user knowing. |
| SMS_ACCESS | The app has access to text message contents. This is especially problematic when sensitive data such as authorization codes are delivered via SMS. |
| SCREEN_OVERRIDE | The app can override the UI of other apps. This means it can potentially provide fake UI that imitates other apps. |
| INSTALLER | The app can request installation of other apps. This can potentially lead to the installation of harmful apps coming from outside Google Play. |
| UNINSTALLER | The app can request the uninstallation of other apps. Malware apps can use this to get rid of obstacles such as antivirus apps. Alternatively, in combination with installer capabilities, they can replace a genuine app with a fake one. |
| EVADER | The app tries to hide its code. It uses advanced techniques, such as hiding classes (including public API classes) and loading them at runtime. This technique is frequently used by malware. |
| OUTSIDE_GOOGLE_PLAY | The app was not installed from Google Play. This reason has rather low significance because there are other app stores (many OEMs have their own stores) and because it can be spoofed. |
| CALLER | The app can play with your calls — for instance, it can set up call forwarding. |
| PRELOADED_APP | The app is preloaded on the device. Informative. |
| PRIVILEGED_APP | The app has extended (system) privileges. Informative. |
| DEVELOPMENT_OR_TEST | The app is a development build or it is a test. These apps usually only appear on devices meant for development. Normally they should not be present on most end-user devices. Informative. |
More Information
There are some other bits of information the SDK can provide.
Installer Recognition
The SDK recognizes a few frequently used installers. Besides Google Play installs, it can identify a few other popular Android stores.
Malware Family Detection
In some cases, the SDK is able to locally determine the name of a detected malware family.
Malware Flags from Server
In some cases, the SDK obtains extra suggested flags from the server.
| Malware Flag | Description |
|---|---|
| MALWARE_TYPE | Determines a type of malware such as Trojan, Banker, Spyware, Adware and many others. |
| MALWARE_FAMILY | Determines a named family of malware. Examples: Cerberus, Anubis, Triada. |
There might be any number of MALWARE_TYPE and MALWARE_FAMILY flags for each application.
The SDK provides a utility method apkThreat.isBanker() that simplifies the identification of whether the app is flagged as a Banker malware.
Permissions and Troubleshooting
Malwarelytics for Android uses sensitive android.permission.QUERY_ALL_PACKAGES permission. Thanks to the permission the SDK can see all the apps installed on the device and can therefore detect malware apps.
The permission android.permission.QUERY_ALL_PACKAGES is sensitive and requires Google Play Prominent Disclosure.
Without the usage of the QUERY_ALL_PACKAGES permission, Malwarelytics for Android isn’t able to see and detect malware apps.
Multiple Device Users
Android supports multiple users on a single Android device. Each user can install different apps. Malwarelytics SDK is able to see only apps installed within the same user as the app containing the SDK.
Applications can be also installed within special separated and protected app spaces such as a Android work profile or Samsung’s Secure Folder. Such protected spaces are often based on special users and thus Malwarelytics SDK isn’t able to see apps installed there unless the app containing the SDK is also installed in the same protected space.