RASP Observer
RASP detections provided by Malwarelytics for Android might trigger RaspObserver. An example of an observer with all available detections:
val raspObserver = object : RaspObserver {
override fun onEmulatorDetected(emulatorDetection: EmulatorDetection) {
// handle emulator detection
}
override fun onRootDetected(rootDetection: RootDetection) {
// handle root detection
}
override fun onDebuggerDetected(debuggerDetected: Boolean) {
// handle debugger detection
}
override fun onRepackagingDetected(repackagingResult: RepackagingResult) {
// handle repackaging detection
}
override fun onScreenSharingDetected(screenSharingDetected: Boolean) {
// handle screen sharing detection
}
override fun onTapjackingDetected(tapjackingDetection: TapjackingDetection) {
// handle tapjacking detection
}
override fun onHttpProxyDetected(httpProxyDetected: Boolean) {
// handle HTTP proxy detection
}
override fun onVpnDetected(vpnEnabled: Boolean) {
// handle VPN detection
}
override fun onAdbStatusDetected(adbStatus: Boolean) {
// handle ADB status detection
}
override fun onActiveCallDetected(activeCallDetection: ActiveCallDetection) {
// handle active call detection
}
override fun onAppPresenceChanged(appPresenceDetection: AppPresenceDetection) {
// handle app presence detection
}
}
Callback Trigger Conditions
The detections vary greatly in their functionality, therefore different callback methods can be triggered in different conditions.
The conditions for triggering callback methods of RaspObserver are:
Emulator
Emulator detection callback onEmulatorDetected(EmulatorDetection) is triggered by an automated check with any detected value. The value might be either “device being an emulator” or “device being a regular device”. The result is identified by the isEmulator: Boolean property of the returned EmulatorDetection data class. Additional fields contain information about the type of emulator and some debugging information.
Root
Root detection callback onRootDetected(RootDetection) is triggered by an automated check with any detected value - either “device being rooted” or “device not being rooted”. The result is identified by the isRooted: Boolean property of the returned RootDetection data class. An important property is also rootDetectionConfidence: Float which returns a value from 0.0 to 1.0 indicating confidence in the device being rooted. Additional fields contain additional information about attempts to cloak the root and some debugging information.
Debugger
Debugger detection callback onDebuggerDetected(Boolean) is triggered by an automated check with any detected value - either “attached debugger of a certain type” or “no debugger attached”. The result is identified by the boolean argument, true indicating that a debugger is attached.
Repackaging
Repackaging detection callback onRepackagingDetected(RepackagingResult) is triggered by an automated check with any detected value. The value might be one of REPACKAGED_APP, ORIGINAL_APP, or INVALID_CONFIG. Value INVALID_CONFIG indicates that no signature hash was specified in the configuration and repackaging detection cannot decide if the app is original or repackaged.
Screen Sharing
Screen sharing detection callback onScreenSharingDetected(Boolean) is triggered automatically after initialization and returns any detected value. The callback is also triggered when any change in screen sharing is detected. Such change is either turning screen sharing on or turning screen sharing off. The result is identified by the boolean argument, value true indicating that screen sharing is turned on.
Tapjacking
Tapjacking detection callback onTapjackingDetected(TapjackingDetection) is triggered automatically after initialization and returns any detected value. The callback is also triggered when tapjacking is turned on or turned off due to app installation, uninstallation, or update, or due to updated app suggestions changing app evaluations. The returned data class TapjackingDetection contains the isTapjackingBlocked: Boolean property indicating whether tapjacking is being blocked. Value true indicates that tapjacking is blocked. In this case, the property tapjackingCapableApps: List<String> contains a list of apps causing tapjacking to be blocked. The apps are identified by their package names (application IDs).
Reactions to app changes (installation, uninstallation, and update) happen only when the Anti-Malware feature of the SDK is used.
HTTP Proxy
HTTP proxy detection callback onHttpProxyDetected(Boolean) is triggered automatically after initialization and returns any detected value. The callback is also triggered when any change in HTTP proxy configuration parameters is detected. The result is identified by the boolean argument, the value true indicates that an HTTP proxy is being used.
VPN
VPN detection callback onVpnDetected(Boolean) is triggered automatically after initialization if a VPN is being used. The callback is also triggered whenever the VPN is turned on or turned off. The result is identified by the boolean argument, the value true indicates that a VPN is turned on.
ADB Status
ADB status detection callback onAdbStatusDetected(Boolean) is triggered automatically after initialization and returns any detected value. The callback is also triggered when any change in ADB configuration is detected. Changes in either ADB debugging over USB or ADB debugging over Wi-Fi will cause the callback to be triggered. The result is identified by the boolean argument, value true indicates that ADB debugging is turned on (either over USB or over Wi-Fi).
Active Call
Active call detection callback onActiveCallDetected(ActiveCallDetection) is triggered automatically after initialization and returns any detected value. The callback is also triggered when any change in the call state is detected. The returned data class ActiveCallDetection contains the callState: CallState property indicating the detected call state.
App Presence
App presence detection callback onAppPresenceChanged(AppPresenceDetection) is triggered automatically after initialization if an unwanted app is present on the device. The callback is also triggered when there’s a change in the set of installed unwanted apps. Such changes might be installs, uninstalls, or updates of any of the unwanted apps that were specified in the configuration.
Reactions to app changes happen only when the Anti-Malware feature of the SDK is used.
Summary
The table below summarizes when each callback method is triggered.
| RASP Detection | Automated checks return |
|---|---|
| Emulator | Any value |
| Root | Any value |
| Debugger | Any value |
| Repackaging | Any value |
| Screen sharing | Any value |
| Tapjacking | Any value |
| HTTP proxy | Any value |
| VPN | Only if VPN is on. |
| ADB status | Any value |
| Active call | Any value |
| App presence | Only if an unwanted app is present. |
Some callback methods are also triggered as a result of some automatically detected changes. The following table summarizes conditions in which such changes cause callbacks to be triggered.
| RASP Detection | Reported changes |
|---|---|
| Screen sharing | Change in screen sharing - turning on/off. |
| Tapjacking | Change in blocking tapjacking - turning on/off. |
| HTTP proxy | Change in HTTP proxy configuration parameters. |
| VPN | Change of VPN detection - turning on/off. |
| ADB status | Change in ADB configuration - USB or Wi-Fi. |
| Active call | Change of call state. |
| App presence | Change in the set of detected apps - app install, uninstall or update. |