Select release
Introduction

Home

Installation

Configuration

Initialization

Common Usage Scenarios

Recommended Responses to Security Issues

Google Play Prominent Disclosure

SafetyNet Google Play Warning

Device Fingerprinting

Troubleshooting

Release Notes

Migration to Version 1.2.x

Migration to Version 1.0.x

Runtime Protection

RASP Features Overview

Debugger Detection

Emulator Detection

Root Detection

Repackaging Detection

Blocking Screen Readers

Screen Sharing Detection

Blocking Screenshots

Tapjacking Protection

HTTP Proxy Detection

VPN Detection

Screen Lock Usage

Google Play Protect Status

Changing Process Name

Detection of ADB Status

Detection of Developer Options Status

Detection of Biometry Enrollment Status

Detection of Active Call

App Presence Detection

Activity protection

RASP Observer

Anti-Malware

Anti-Malware Use-Cases

Anti-Malware Feature Overview

Malware Threat Identification

Malware Threat Mitigation

Listening to App Changes

Installer identification

Smart Protection

Smart Protection UI Customization

Common Usage Scenarios

View product develop

Malwarelytics for Android offers a huge variety of possible usages and integrations within an app. The SDK offers Anti-Malware and Runtime Protection components providing different features that can be used separately. Moreover, the SDK can be used in an online mode, when it’s connected to a remote console app, or in an offline mode.

Online and Offline Mode

The most common usage of Malwarelytics for Android is to run it in online mode. A crucial condition for the SDK to run in online mode is to provide API credentials in the configuration. The API credentials consist of API_USERNAME, API_PASSWORD, and API_SIGNATURE_PUBLIC_KEY and can be found in the Malwarelytics console.

The minimum online configuration has to contain:

val config = AppProtectionConfig.Builder(appContext)
    .apiUsername(API_USERNAME)
    .apiPassword(API_PASSWORD)
    .apiSignaturePublicKey(API_SIGNATURE_PUBLIC_KEY)
    // other configuration items
    .build()

If the API_USERNAME, API_PASSWORD, and API_SIGNATURE_PUBLIC_KEY values are not provided, the SDK will run in offline mode without a connection to the remote Malwarelytics console.

The mode, in which the SDK was initialized, corresponds with the initialization result value. The result PERMANENT_OFFLINE_MODE indicates that the SDK is initialized into offline mode.

Using Anti-Malware Feature Only

The Anti-Malware feature can be used separately from the RASP feature. To use only the Anti-Malware feature, it’s necessary to configure Malwarelytics for Android with the turned-off RASP feature. That can be done by not configuring RASP at all.

val config = AppProtectionConfig.Builder(appContext)
    // no usage and no value passed to .raspConfig()
    // other configuration items
    .build()

Turned off the RASP feature doesn’t affect the functionality of the Anti-Malware feature in any way.

Anti-Malware Feature in Offline Mode

When used in offline mode Anti-Malware feature doesn’t have data from the remote console for proper identification of malware threats. This greatly reduces the capability of the SDK to detect malware.

It is not recommended to use the Anti-Malware feature in offline mode due to a significant number of false positive and false negative detections.

Using RASP Feature Only

The RASP (runtime application self-protection) feature can be used separately from the Anti-Malware feature. To use the RASP feature only, it’s necessary to disable the Anti-Malware feature in the configuration.

val config = AppProtectionConfig.Builder(appContext)
    .antivirusConfig(
        AntivirusConfig.Builder()
            .enableAntivirus(false)
            .build()
    )
    // other configuration items
    .build()

A few features might be affected by missing data caused by the missing Anti-Malware feature, namely tapjacking protection and app presence detection.

Tapjacking Protection in RASP Only

Tapjacking protection uses malware threat identification and listening to app changes provided by the Anti-Malware feature. With the Anti-Malware feature being disabled, the blockTapjackingSensitivity configuration cannot be used. In the case of the usage of offline RASP only, tapjacking protection cannot distinguish which apps are problematic and all apps capable of creating overlays are marked as “problematic”. In this case, it’s recommended not to use tapjacking protection because of a significant risk of false positives.

Tapjacking protection can be disabled in the configuration with:

val raspConfig = RaspConfig.Builder()
    .tapjacking(
        TapjackingBlockConfig.Builder()
            .action(BlockConfig.NoAction)
            .build()
    )
    // configuration of other RASP features
    .build()

App Presence Detection in RASP Only

App presence detection uses listening to app changes provided by the Anti-Malware feature. In this case, the app presence detection doesn’t react to app changes - installs, uninstalls, and updates. A manual check for the presence of unwanted apps is still possible by calling raspManager.getAppPresenceDetection().

RASP Feature in Offline Mode

RASP feature in offline mode provides the full set of features as in the online mode with the only exception of tapjacking protection. Tapjacking protection uses malware threat identification feature that suffers from more false positives and false negatives when the SDK is used in offline mode as mentioned in Anti-Malware Feature in Offline Mode.

Last updated on Nov 16, 2023 (08:41) View product
On this page:
Search

develop

Malwarelytics for Android