Select release
Introduction

Home

Installation

Configuration

Initialization

Common Usage Scenarios

Recommended Responses to Security Issues

Google Play Prominent Disclosure

SafetyNet Google Play Warning

Device Fingerprinting

Troubleshooting

Release Notes

Migration to Version 1.5.x

Migration to Version 1.4.x

Migration to Version 1.3.x

Migration to Version 1.2.x

Migration to Version 1.0.x

Runtime Protection

RASP Features Overview

Debugger Detection

Emulator Detection

Root Detection

Repackaging Detection

Screen Sharing Blocking and Detection

Blocking Screen Readers

Screenshot Blocking and Detection

Screen Recording Detection

Tapjacking Protection

HTTP Proxy Detection

VPN Detection

Screen Lock Usage

Google Play Protect Status

Changing Process Name

Detection of ADB Status

Detection of Developer Options Status

Detection of Biometry Enrollment Status

Detection of Active Call

App Presence Detection

Spoofed Location Detection

Android Auto Detection

Blocking Emulated Input

Activity protection

RASP Observer

Anti-Malware

Anti-Malware Use-Cases

Anti-Malware Feature Overview

Malware Threat Identification

Malware Threat Mitigation

Listening to App Changes

Installer identification

Smart Protection

Smart Protection UI Customization

Obtaining App Info

Screen Sharing Detection

View product develop

Android devices are capable of sharing (mirroring) their screen with another display. A screen can be shared either wirelessly or using a cable. Screen sharing can, however, pose a security risk, as sensitive information might be leaking from app screens. Screen sharing is also a vital feature of remote desktop apps that are frequently misused by fraudsters to steal from their victims.

Malwarelytics for Android is able to detect that the screen is being shared, it can block most of the screen sharing sessions, and can be configured to notify the app or terminate the app in case an app screen is shared.

Configuration

This feature can be configured during the Malwarelytics initialization phase:

val raspConfig = RaspConfig.Builder()
    .screenSharing(
        ScreenSharingConfig.Builder()
            .blockAction(BlockConfig)
            .blockLayout(ScreenSharingConfig.BlockLayout)
            .detectionAction(DetectionConfig)
            .build()
    )
    // configuration of other RASP features
    .build()
Method Description
blockAction(BlockConfig) specifies the automatic behavior of the screen sharing blocking feature. Defaults to BlockConfig.Block.
blockLayout(ScreenSharingConfig.BlockLayout) defines the layout used for blocking screen sharing. Defaults to ScreenSharingConfig.BlockLayout.BasicSplash(), which is an empty white screen.
detectionAction(DetectionConfig) specifies the automatic behavior of the screen sharing detection feature. Defaults to DetectionConfig.Notify.

Available values of BlockConfig:

Value Description
NoAction indicates that screen sharing will not be automatically blocked.
Block indicates that screen sharing will be automatically blocked.

Available values of the ScreenSharingConfig.BlockLayout are:

Value Description
BasicSplash(
@ColorInt color:Int,
appIcon:Boolean,
appName:Boolean		 indicates the usage of a single color splash screen that can optionally contain the app icon and the app name. The color defaults to Color.WHITE, appIcon and appName defaults to false.
CustomLayout(
@LayoutRes layout:Int)		 indicates the usage of custom layout resource.

List of available parameters for BlockLayout config values:

Parameter Description
@ColorInt color: Int defines the single color used for the blocking screen background. Defaults to Color.WHITE.
appIcon: Boolean indicates whether to show the app icon on the blocking screen. Defaults to false.
appName: Boolean indicates whether to show the app name on the blocking screen. Defaults to false.

Available values of DetectionConfig:

Value Description
NoAction indicates that screen sharing will not be automatically detected. A manual check is still possible.
Notify indicates that screen sharing will be automatically detected and observers will be notified.
Exit(
exitUrl: String?)		 indicates that screen sharing will be automatically detected and the app will be terminated when a screen sharing or a transient change of display addition is automatically detected.

Screen sharing detection defaults to DetectionConfig.Notify.

List of available parameters for some values of DetectionConfig:

Parameter Description
exitUrl: String? defines the URL to be opened when the app is terminated because of the automatic detection. Defaults to null.

Usage

After initialization, the screen sharing blocking feature is used based on the configuration. The screen sharing detection feature can be accessed via RaspManager. This can be used to register an observer or to trigger a manual screen sharing detection check.

The screen sharing blocking feature works independently of the screen sharing detection feature.

The screen sharing blocking feature cannot access and block the task thumbnail (the preview of the running app in the Recent apps screen that is managed by the system). To address this issue, it is recommended to combine with the screenshot blocking feature. Usage of both blocking features provides the best results.

Registering an Observer

The screen sharing detection can trigger a certain action. To achieve that, an observer needs to be configured and registered.

Observer configuration:

val raspObserver = object : RaspObserver {
    // The callback is delivered on a background thread
    override fun onScreenSharingDetected(screenSharingDetection: ScreenSharingDetection) {
        // Handle screen sharing detection
    }
    // Handle detection of other RASP features
}

The observer can be registered in RaspManager. When it is no longer needed, it can be unregistered again.

raspManager.registerRaspObserver(raspObserver)
raspManager.unregisterRaspObserver(raspObserver)

The ScreenSharingDetection data class contains the following properties:

Property Description
isProblematic: Boolean indicates whether the detection result is problematic for the app. A problematic detection means that a screen is being shared (isScreenShared is true) or a display has just been added, transientData property contains TransientScreenSharingData.displayChange set to DISPLAY_ADDITION).
isScreenShared: Boolean indicates whether a device screen is currently being shared (mirrored) elsewhere.
numberOfDisplays: Int indicates the number of detected displays on which the content is displayed.
androidAutoDetection: AndroidAutoDetection contains Android Auto detection data (contents described in Android Auto Detection Data.
transientData: TransientScreenSharingData? contains transient data that contains information about detected transient changes (more detail in Transient Detection Data.
isTransientChange: Boolean indicates whether the detection result signifies a transient change. That means transientData indicates either display addition or display removal.

The nested ScreenSharingDetection.TransientScreenSharingData data class contains the following properties:

Property Description
displayChange: DisplayChange indicates the type of display change that occurred - either a display addition or a display removal.
displayId: Int contains the ID of the added or removed display.

Available values of ScreenSharingDetection.DisplayChange

Value Description
DISPLAY_ADDITION A display was added.
DISPLAY_REMOVAL A display was removed.

Triggering a Manual Check

The screen sharing detection check can be triggered manually in RaspManager. Two methods are available – isScreenShared() gives a simple boolean answer, whereas getScreenSharingDetection() provides more details.

val screenSharingDetection: ScreenSharingDetection = raspManager.getScreenSharingDetection()
val isScreenShared: Boolean = raspManager.isScreenShared()

Transient Detection Data

Detection data provided by the screen sharing detection feature are of two kinds - non-transient and transient. Non-transient data are both delivered via the RaspObserver.onScreenSharingDetected(ScreenSharingDetection) callback and can be queried via methods provided by the RaspManager. On the other hand, transient data are only delivered via the above-mentioned observer method. Transient data cannot be manually queried (and verified).

Unfortunately, screen sharing performed by some applications generates only transient data, which is either the detection of an added display or a removed display. These are typically virtual displays created by other apps.

The screen sharing blocking feature is able to block only non-transient detections; transient detections are not accessible for the blocking feature.

The returned data class ScreenSharingDetection contains the isScreenShared: Boolean property that is the primary indicator of a shared screen. This property contains only non-transient data. Some detections contain transient data in the transientData property.

As a simplification, the ScreenSharingDetection also contains isProblematic: Boolean and isTransientChange: Boolean properties. The first indicates whether the screen is being shared or a display was just added. The second indicates whether the detection contains a transient change. The transientData property contains information about the added or removed display.

Android Auto Detection

Android Auto detection data were added to the screen sharing detection data. These data are non-transient. They are both delivered in the observer callback and can be queried manually. They can also be queried independently (more detail in Android Auto Detection documentation).

Changes to the Android Auto connection also trigger the observer callback for screen sharing detection.

More information on general RASP feature configuration and usage can be found in this overview.

Last updated on Sep 23, 2025 (10:11) View product
On this page:
Search

develop

Malwarelytics for Android