Malware Threat Identification

Malwarelytics for Android is capable to list and analyze apps installed on the device (both preloaded and user-installed).

Malware identification happens both locally and remotely.

The SDK contains a small engine that analyzes installed apps locally and downloads suggestions (remote evaluations) that are provided by the backend server. Both types of information are used to evaluate the apps installed on the device.

Evaluation of Apps

When Smart Protection is enabled, apps installed on the device are evaluated automatically. Nevertheless, the SDK offers ways to evaluate them manually as well. This can be done with a simple call:

val evaluatedList = antivirus.evaluateThreats()

The list in response contains evaluated ApkThreat instances that provide information about any threats.

Threat Index

The SDK categorizes the level of threat that each app potentially poses to other apps, the device, and the user. Five levels of threat (threat index) are recognized:

Threat Index Description
SAFE Apps that are harmless.
POTENTIALLY_UNWANTED_APPS Generally harmless apps that request and utilize potentially problematic permissions or system features.
DANGEROUS Apps that are problematic in some way but not especially harmful to other apps or the device user. Typical examples are adware, scareware, risktool or non-malicious packed app.
HIGHLY_DANGEROUS Apps that are dangerous and harmful but the potential damage is not that high. These apps typically utilize system resources in an undesired or annoying manner. Typical examples are riskware or hidden adware (Hiddad).
MALWARE Malware apps that are extremely dangerous and harmful. Typical examples are trojan, trojan-banker, backdoors or spyware.

Apps are recommended to perform some kind of mitigation when an app on the device is categorized as HIGHLY_DANGEROUS or MALWARE.

Threat Reason

The SDK also pinpoints some problematic features and provides some other important information about analyzed apps.

Threat Reason Description
ACCESSIBILITY The app has access to accessibility. It can see the contents of other apps or perform actions on its own. This means it can potentially see the contents of your app and perform actions in other apps without the user knowing.
SMS_ACCESS The app has access to text message contents. This is especially problematic when sensitive data such as authorization codes are delivered via SMS.
SCREEN_OVERRIDE The app can override the UI of other apps. This means it can potentially provide fake UI that imitates other apps.
INSTALLER The app can request installation of other apps. This can potentially lead to the installation of harmful apps coming from outside Google Play.
UNINSTALLER The app can request the uninstallation of other apps. Malware apps can use this to get rid of obstacles such as antivirus apps. Alternatively, in combination with installer capabilities, they can replace a genuine app with a fake one.
EVADER The app tries to hide its code. It uses advanced techniques, such as hiding classes (including public API classes) and loading them at runtime. This technique is frequently used by malware.
OUTSIDE_GOOGLE_PLAY The app was not installed from Google Play. This reason has rather low significance because there are other app stores (many OEMs have their own stores) and because it can be spoofed.
CALLER The app can play with your calls — for instance, it can set up call forwarding.
PRELOADED_APP The app is preloaded on the device. Informative.
PRIVILEGED_APP The app has extended (system) privileges. Informative.
DEVELOPMENT_OR_TEST The app is a development build or it is a test. These apps usually only appear on devices meant for development. Normally they should not be present on most end-user devices. Informative.

More Information

There are some other bits of information the SDK can provide.

Installer Recognition

The SDK recognizes a few frequently used installers. Besides Google Play installs, it can identify a few other popular Android stores.

Malware Family Detection

In some cases, the SDK is able to locally determine the name of a detected malware family.

Malware Flags from Server

In some cases, the SDK obtains extra suggested flags from the server.

Malware Flag Description
MALWARE_TYPE Determines a type of malware such as Trojan, Banker, Spyware, Adware and many others.
MALWARE_FAMILY Determines a named family of malware. Examples: Cerberus, Anubis, Triada.

There might be any number of MALWARE_TYPE and MALWARE_FAMILY flags for each application.

The SDK provides a utility method apkThreat.isBanker() that simplifies the identification of whether the app is flagged as a Banker malware.

Permissions and Troubleshooting

Malwarelytics for Android uses sensitive android.permission.QUERY_ALL_PACKAGES permission. Thanks to the permission the SDK can see all the apps installed on the device and can therefore detect malware apps.

The permission android.permission.QUERY_ALL_PACKAGES is sensitive and requires Google Play Prominent Disclosure.

Without the usage of the QUERY_ALL_PACKAGES permission, Malwarelytics for Android isn’t able to see and detect malware apps.

Multiple Device Users

Android supports multiple users on a single Android device. Each user can install different apps. Malwarelytics SDK is able to see only apps installed within the same user as the app containing the SDK.

Applications can be also installed within special separated and protected app spaces such as a Android work profile or Samsung’s Secure Folder. Such protected spaces are often based on special users and thus Malwarelytics SDK isn’t able to see apps installed there unless the app containing the SDK is also installed in the same protected space.

Last updated on Nov 21, 2023 (12:06) View product


Malwarelytics for Android