RASP Observer

RASP detections provided by Malwarelytics for Android might trigger RaspObserver. An example of an observer with all available detections:

val raspObserver = object : RaspObserver {
    override fun onEmulatorDetected(emulatorDetection: EmulatorDetection) {
        // handle emulator detection
    }

    override fun onRootDetected(rootDetection: RootDetection) {
        // handle root detection
    }

    override fun onDebuggerDetected(debuggerDetected: Boolean) {
        // handle debugger detection
    }

    override fun onRepackagingDetected(repackagingResult: RepackagingResult) {
        // handle repackaging detection
    }

    override fun onScreenSharingDetected(screenSharingDetection: ScreenSharingDetection) {
        // handle screen sharing detection
    }

    override fun onScreenReaderDetected(screenReaderDetection: ScreenReaderDetection) {
        // handle screen reader detection
    }

    override fun onTapjackingDetected(tapjackingDetection: TapjackingDetection) {
        // handle tapjacking detection
    }

    override fun onHttpProxyDetected(httpProxyDetected: Boolean) {
        // handle HTTP proxy detection
    }

    override fun onVpnDetected(vpnEnabled: Boolean) {
        // handle VPN detection
    }

    override fun onAdbStatusDetected(adbStatus: Boolean) {
        // handle ADB status detection
    }
    
    override fun onActiveCallDetected(activeCallDetection: ActiveCallDetection) {
        // handle active call detection
    }

    override fun onAppPresenceChanged(appPresenceDetection: AppPresenceDetection) {
        // handle app presence detection
    }
}

Callback Trigger Conditions

The detections vary greatly in their functionality, therefore different callback methods can be triggered in different conditions.

The conditions for triggering callback methods of RaspObserver are:

Emulator

Emulator detection callback onEmulatorDetected(EmulatorDetection) is triggered by an automated check with any detected value. The value might be either “device being an emulator” or “device being a regular device”. The result is identified by the isEmulator: Boolean property of the returned EmulatorDetection data class. Additional fields contain information about the type of emulator and some debugging information.

Root

Root detection callback onRootDetected(RootDetection) is triggered by an automated check with any detected value - either “device being rooted” or “device not being rooted”. The result is identified by the isRooted: Boolean property of the returned RootDetection data class. An important property is also rootDetectionConfidence: Float which returns a value from 0.0 to 1.0 indicating confidence in the device being rooted. Additional fields contain additional information about attempts to cloak the root and some debugging information.

Debugger

Debugger detection callback onDebuggerDetected(Boolean) is triggered by an automated check with any detected value - either “attached debugger of a certain type” or “no debugger attached”. The result is identified by the boolean argument, true indicating that a debugger is attached.

Repackaging

Repackaging detection callback onRepackagingDetected(RepackagingResult) is triggered by an automated check with any detected value. The value might be one of REPACKAGED_APP, ORIGINAL_APP, or INVALID_CONFIG. Value INVALID_CONFIG indicates that no signature hash was specified in the configuration and repackaging detection cannot decide if the app is original or repackaged.

Screen Sharing

Screen sharing detection callback onScreenSharingDetected(ScreenSharingDetection) is triggered automatically after initialization if the screen is being shared. The callback is also triggered when any change in screen sharing is detected. Such change is either turning screen sharing on or turning screen sharing off.

Unfortunately, screen sharing performed by some applications generates only transient data. Transient detections cannot be directly obtained via RaspManager.getScreenSharingDetection(), these detections are only delivered via the callback right after they are detected a verification is not possible later. A transient change is either the detection of an added display or a removed display.

The returned data class ScreenSharingDetection contains the isScreenShared: Boolean property that is the primary indicator of a shared screen. This property contains only non-transient data. Some detections contain transient data in the transientData property.

As a simplification, the ScreenSharingDetection also contains isProblematic:Boolean and isTransientChange:Boolean properties. The first indicates whether the screen is either shared or a display was just added. The second indicates whether the detection contains a transient change. The transientData property contains a data class with details about the transient change that was just detected. Namely displayAdded and displayRemoved properties indicating whether a display has just been added or removed.

Screen Readers

Screen reader detection callback onScreenReaderDetected(ScreenReaderDetection) is triggered automatically after initialization only if it detects that there’s at least one enabled screen reader. The callback is also triggered when a change in the set of enabled screen readers is detected. The returned data class ScreenReaderDetection contains lists of enabledScreenReaders, installedScreenReaders, and notAllowedScreenReaders. The list of not allowed screen readers depends on the provided configuration of the screen reader blocking feature.

Tapjacking

Tapjacking detection callback onTapjackingDetected(TapjackingDetection) is triggered automatically after initialization and returns any detected value. The callback is also triggered when tapjacking is turned on or turned off due to app installation, uninstallation, or update, or due to updated app suggestions changing app evaluations. The returned data class TapjackingDetection contains the isTapjackingBlocked: Boolean property indicating whether tapjacking is being blocked. Value true indicates that tapjacking is blocked. In this case, the property tapjackingCapableApps: List<String> contains a list of apps causing tapjacking to be blocked. The apps are identified by their package names (application IDs).

Reactions to app changes (installation, uninstallation, and update) happen only when the Anti-Malware feature of the SDK is used.

HTTP Proxy

HTTP proxy detection callback onHttpProxyDetected(Boolean) is triggered automatically after initialization and returns any detected value. The callback is also triggered when any change in HTTP proxy configuration parameters is detected. The result is identified by the boolean argument, the value true indicates that an HTTP proxy is being used.

VPN

VPN detection callback onVpnDetected(Boolean) is triggered automatically after initialization if a VPN is being used. The callback is also triggered whenever the VPN is turned on or turned off. The result is identified by the boolean argument, the value true indicates that a VPN is turned on.

ADB Status

ADB status detection callback onAdbStatusDetected(Boolean) is triggered automatically after initialization and returns any detected value. The callback is also triggered when any change in ADB configuration is detected. Changes in either ADB debugging over USB or ADB debugging over Wi-Fi will cause the callback to be triggered. The result is identified by the boolean argument, value true indicates that ADB debugging is turned on (either over USB or over Wi-Fi).

Active Call

Active call detection callback onActiveCallDetected(ActiveCallDetection) is triggered automatically after initialization and returns any detected value. The callback is also triggered when any change in the call state is detected. The returned data class ActiveCallDetection contains the callState: CallState property indicating the detected call state.

App Presence

App presence detection callback onAppPresenceChanged(AppPresenceDetection) is triggered automatically after initialization if an unwanted app is present on the device. The callback is also triggered when there’s a change in the set of installed unwanted apps. Such changes might be installs, uninstalls, or updates of any of the unwanted apps that were specified in the configuration.

Reactions to app changes happen only when the Anti-Malware feature of the SDK is used.

Summary

The table below summarizes when each callback method is triggered.

RASP Detection Automated checks return
Emulator Any value
Root Any value
Debugger Any value
Repackaging Any value
Screen sharing Only if screen sharing is on.
Screen readers Only if there is an enabled screen reader.
Tapjacking Any value
HTTP proxy Any value
VPN Only if VPN is on.
ADB status Any value
Active call Any value
App presence Only if an unwanted app is present.

Some callback methods are also triggered as a result of some automatically detected changes. The following table summarizes conditions in which such changes cause callbacks to be triggered.

RASP Detection Reported changes
Screen sharing Change in screen sharing - turning on/off. And detection of a transient change.
Screen readers Change in the set of enabled screen reader apps.
Tapjacking Change in blocking tapjacking - turning on/off.
HTTP proxy Change in HTTP proxy configuration parameters.
VPN Change of VPN detection - turning on/off.
ADB status Change in ADB configuration - USB or Wi-Fi.
Active call Change of call state.
App presence Change in the set of detected apps - app install, uninstall or update.
Last updated on Feb 06, 2024 (11:36) View product
Search

develop

Malwarelytics for Android