RASP Observer
RASP detections provided by Malwarelytics for Android might trigger RaspObserver
. An example of an observer with all available detections:
val raspObserver = object : RaspObserver {
override fun onEmulatorDetected(emulatorDetection: EmulatorDetection) {
// handle emulator detection
}
override fun onRootDetected(rootDetection: RootDetection) {
// handle root detection
}
override fun onDebuggerDetected(debuggerDetected: Boolean) {
// handle debugger detection
}
override fun onRepackagingDetected(repackagingResult: RepackagingResult) {
// handle repackaging detection
}
override fun onScreenSharingDetected(screenSharingDetection: ScreenSharingDetection) {
// handle screen sharing detection
}
override fun onScreenReaderDetected(screenReaderDetection: ScreenReaderDetection) {
// handle screen reader detection
}
override fun onScreenshotDetected(screenshotDetection: ScreenshotDetection) {
// handle screenshot detection
// delivered only on Android 14+
}
override fun onTapjackingDetected(tapjackingDetection: TapjackingDetection) {
// handle tapjacking detection
}
override fun onHttpProxyDetected(httpProxyDetected: Boolean) {
// handle HTTP proxy detection
}
override fun onVpnDetected(vpnEnabled: Boolean) {
// handle VPN detection
}
override fun onAdbStatusDetected(adbStatus: Boolean) {
// handle ADB status detection
}
override fun onActiveCallDetected(activeCallDetection: ActiveCallDetection) {
// handle active call detection
}
override fun onAppPresenceChanged(appPresenceDetection: AppPresenceDetection) {
// handle app presence detection
}
}
Callback Trigger Conditions
The detections vary greatly in their functionality, therefore different callback methods can be triggered in different conditions.
The conditions for triggering callback methods of RaspObserver
are:
Emulator
Emulator detection callback onEmulatorDetected(EmulatorDetection)
is triggered by an automated check with any detected value. The value might be either “device being an emulator” or “device being a regular device”. The result is identified by the isEmulator: Boolean
property of the returned EmulatorDetection
data class. Additional fields contain information about the type of emulator and some debugging information.
Root
Root detection callback onRootDetected(RootDetection)
is triggered by an automated check with any detected value - either “device being rooted” or “device not being rooted”. The result is identified by the isRooted: Boolean
property of the returned RootDetection
data class. An important property is also rootDetectionConfidence: Float
which returns a value from 0.0 to 1.0 indicating confidence in the device being rooted. Additional fields contain additional information about attempts to cloak the root and some debugging information.
Debugger
Debugger detection callback onDebuggerDetected(Boolean)
is triggered by an automated check with any detected value - either “attached debugger of a certain type” or “no debugger attached”. The result is identified by the boolean argument, true
indicating that a debugger is attached.
Repackaging
Repackaging detection callback onRepackagingDetected(RepackagingResult)
is triggered by an automated check with any detected value. The value might be one of REPACKAGED_APP
, ORIGINAL_APP
, or INVALID_CONFIG
. Value INVALID_CONFIG
indicates that no signature hash was specified in the configuration and repackaging detection cannot decide if the app is original or repackaged.
Screen Sharing
Screen sharing detection callback onScreenSharingDetected(ScreenSharingDetection)
is triggered automatically after initialization if the screen is being shared. The callback is also triggered when any change in screen sharing is detected. Such change is either turning screen sharing on or turning screen sharing off.
Unfortunately, screen sharing performed by some applications generates only transient data. Transient detections cannot be directly obtained via RaspManager.getScreenSharingDetection()
, these detections are only delivered via the callback right after they are detected a verification is not possible later. A transient change is either the detection of an added display or a removed display.
The returned data class ScreenSharingDetection
contains the isScreenShared: Boolean
property that is the primary indicator of a shared screen. This property contains only non-transient data. Some detections contain transient data in the transientData
property.
As a simplification, the ScreenSharingDetection
also contains isProblematic:Boolean
and isTransientChange:Boolean
properties. The first indicates whether the screen is either shared or a display was just added. The second indicates whether the detection contains a transient change. The transientData
property contains a data class with details about the transient change that was just detected. Namely displayAdded
and displayRemoved
properties indicating whether a display has just been added or removed.
Screen Readers
Screen reader detection callback onScreenReaderDetected(ScreenReaderDetection)
is triggered automatically after initialization only if it detects that there’s at least one enabled screen reader. The callback is also triggered when a change in the set of enabled screen readers is detected. The returned data class ScreenReaderDetection
contains lists of enabledScreenReaders
, installedScreenReaders
, and notAllowedScreenReaders
. The list of not allowed screen readers depends on the provided configuration of the screen reader blocking feature.
Tapjacking
Tapjacking detection callback onTapjackingDetected(TapjackingDetection)
is triggered automatically after initialization and returns any detected value. The callback is also triggered when tapjacking is turned on or turned off due to app installation, uninstallation, or update, or due to updated app suggestions changing app evaluations. The returned data class TapjackingDetection
contains the isTapjackingBlocked: Boolean
property indicating whether tapjacking is being blocked. Value true
indicates that tapjacking is blocked. In this case, the property tapjackingCapableApps: List<String>
contains a list of apps causing tapjacking to be blocked. The apps are identified by their package names (application IDs).
Reactions to app changes (installation, uninstallation, and update) happen only when the Anti-Malware feature of the SDK is used.
HTTP Proxy
HTTP proxy detection callback onHttpProxyDetected(Boolean)
is triggered automatically after initialization and returns any detected value. The callback is also triggered when any change in HTTP proxy configuration parameters is detected. The result is identified by the boolean argument, the value true
indicates that an HTTP proxy is being used.
VPN
VPN detection callback onVpnDetected(Boolean)
is triggered automatically after initialization if a VPN is being used. The callback is also triggered whenever the VPN is turned on or turned off. The result is identified by the boolean argument, the value true
indicates that a VPN is turned on.
ADB Status
ADB status detection callback onAdbStatusDetected(Boolean)
is triggered automatically after initialization and returns any detected value. The callback is also triggered when any change in ADB configuration is detected. Changes in either ADB debugging over USB or ADB debugging over Wi-Fi will cause the callback to be triggered. The result is identified by the boolean argument, value true
indicates that ADB debugging is turned on (either over USB or over Wi-Fi).
Active Call
Active call detection callback onActiveCallDetected(ActiveCallDetection)
is triggered automatically after initialization and returns any detected value. The callback is also triggered when any change in the call state is detected. The returned data class ActiveCallDetection
contains the callState: CallState
property indicating the detected call state.
App Presence
App presence detection callback onAppPresenceChanged(AppPresenceDetection)
is triggered automatically after initialization if an unwanted app is present on the device. The callback is also triggered when there’s a change in the set of installed unwanted apps. Such changes might be installs, uninstalls, or updates of any of the unwanted apps that were specified in the configuration.
Reactions to app changes happen only when the Anti-Malware feature of the SDK is used.
Summary
The table below summarizes when each callback method is triggered.
RASP Detection | Automated checks return |
---|---|
Emulator | Any value |
Root | Any value |
Debugger | Any value |
Repackaging | Any value |
Screen sharing | Only if screen sharing is on. |
Screen readers | Only if there is an enabled screen reader. |
Tapjacking | Any value |
HTTP proxy | Any value |
VPN | Only if VPN is on. |
ADB status | Any value |
Active call | Any value |
App presence | Only if an unwanted app is present. |
Some callback methods are also triggered as a result of some automatically detected changes. The following table summarizes conditions in which such changes cause callbacks to be triggered.
RASP Detection | Reported changes |
---|---|
Screen sharing | Change in screen sharing - turning on/off. And detection of a transient change. |
Screen readers | Change in the set of enabled screen reader apps. |
Tapjacking | Change in blocking tapjacking - turning on/off. |
HTTP proxy | Change in HTTP proxy configuration parameters. |
VPN | Change of VPN detection - turning on/off. |
ADB status | Change in ADB configuration - USB or Wi-Fi. |
Active call | Change of call state. |
App presence | Change in the set of detected apps - app install, uninstall or update. |