Screen Sharing Detection

Android devices are capable of sharing (mirroring) their screen with another display. A screen can be shared either wirelessly or using a cable. Screen sharing can, however, pose a security risk, as sensitive information might be leaking from app screens.

Malwarelytics for Android is able to detect that the screen is being shared and can be configured to terminate the app in such a case.


This feature can be configured during the Malwarelytics initialization phase:

val raspConfig = RaspConfig.Builder()
    // configuration of other RASP features

Available values of DetectionConfig:

Value Description
NoAction indicates that screen sharing will not be automatically detected. A manual check is still possible.
Notify indicates that screen sharing will be automatically detected and observers will be notified.
indicates that screen sharing will be automatically detected and the app will be terminated when a screen sharing or a transient change of display addition is automatically detected.

Screen sharing detection defaults to DetectionConfig.Notify.

List of available parameters for some config values:

Parameter Description
exitUrl:String? defines the URL to be opened when the app is terminated because of the automatic detection. Defaults to null.


After initialization, the screen sharing detection feature can be accessed via RaspManager. This can be used to register an observer or to trigger a manual screen sharing detection check.

Registering an Observer

The screen sharing detection can trigger a certain action. To achieve that, an observer needs to be configured and registered.

Observer configuration:

val raspObserver = object : RaspObserver {
    override fun onScreenSharingDetected(screenSharingDetection: ScreenSharingDetection) {
        // handle screen sharing detection
    // handle detection of other RASP features

The observer can be registered in RaspManager. When it is no longer needed, it can be unregistered again.


Triggering a Manual Check

Screen sharing detection check can be triggered manually in RaspManager. Two methods are available – isScreenShared() gives a simple boolean answer, whereas getScreenSharingDetection() provides more details.

val screenSharingDetection = raspManager.getScreenSharingDetection()
val isScreenShared = raspManager.isScreenShared()

Transient Detection Data

Detection data provided by the screen sharing detection feature are of two kinds - non-transient and transient. Non-transient data are both delivered via the RaspObserver.onScreenSharingDetected(ScreenSharingDetection) callback and can be queried via methods provided by the RaspManager. On the other hand, transient data are only delivered via the above-mentioned observer method. Transient data cannot be manually queried (and verified).

Unfortunately, screen sharing performed by some applications generates only transient data, which is either the detection of an added display or a removed display.

The returned data class ScreenSharingDetection contains the isScreenShared: Boolean property that is the primary indicator of a shared screen. This property contains only non-transient data. Some detections contain transient data in the transientData property.

As a simplification, the ScreenSharingDetection also contains isProblematic:Boolean and isTransientChange:Boolean properties. The first indicates whether the screen is either shared or a display was just added. The second indicates whether the detection contains a transient change. The transientData property contains a data class with details about the transient change that was just detected. Namely displayAdded and displayRemoved properties indicating whether a display has just been added or removed.

More information on general RASP feature configuration and usage can be found in this overview.

Last updated on Feb 06, 2024 (11:36) View product


Malwarelytics for Android