Select release
Introduction

Home

Installation

Configuration

Initialization

Common Usage Scenarios

Recommended Responses to Security Issues

Google Play Prominent Disclosure

SafetyNet Google Play Warning

Device Fingerprinting

Troubleshooting

Release Notes

Migration to Version 1.2.x

Migration to Version 1.0.x

Runtime Protection

RASP Features Overview

Debugger Detection

Emulator Detection

Root Detection

Repackaging Detection

Screen Sharing Detection

Blocking Screen Readers

Screenshot Blocking and Detection

Tapjacking Protection

HTTP Proxy Detection

VPN Detection

Screen Lock Usage

Google Play Protect Status

Changing Process Name

Detection of ADB Status

Detection of Developer Options Status

Detection of Biometry Enrollment Status

Detection of Active Call

App Presence Detection

Spoofed Location Detection

Activity protection

RASP Observer

Anti-Malware

Anti-Malware Use-Cases

Anti-Malware Feature Overview

Malware Threat Identification

Malware Threat Mitigation

Listening to App Changes

Installer identification

Smart Protection

Smart Protection UI Customization

Smart Protection

View product develop

Various customization degrees are possible when integrating Malwarelytics into an app. For full control over its behavior, raw APIs — observers and method calls — can be used. An entirely different approach is a hassle-free SDK integration using the built-in Smart Protection system.

Smart Protection is a set of behavior patterns that are enabled by default. These patterns include a periodic evaluation of apps installed on the device, suggestion updates, initial scans, and an automatic evaluation of app changes.

There are two basic modes of operation:

  1. Silent mode — default option. It does not show any UI but simply keeps the data up to date with the remote console.

  2. Non-silent mode — facilitates automatic mitigation of detected threats. The available options are:

    • Display an app screen with a list of dangerous apps.
    • Display a notification about a dangerous app.

Configuration

Smart Protection can be configured to some extent using the SmartProtectionConfig settings in the AntivirusConfig.Builder.

val smartProtectionConfig = AntivirusConfig.SmartProtectionConfig.Builder()
                        .smartProtectionEnabled(true)
                        .silentModeEnabled(true)
                        .smartProtectionIntervalHours(72)
                        .performInitialFirstUpdate(true)
                        .build()

val antivirusConfig = AntivirusConfig.Builder()
    // other Anti-Malware feature configuration
    .smartProtectionConfig(smartProtectionConfig)
    .build()

Learn about UI customization of Smart Protection elements in this article.

Information about Updates and Troubleshooting

Smart Protection performs automatic updates that are hidden from the integrating app. In some cases, the app wants to react to freshly updated data, get some update information, or the app developers need to investigate a problem.

For this reason, the SDK offers:

  1. Update observer.
  2. Info data about the last successful and unsuccessful updates.

Registering an Update Observer

The application can register UpdateObserver to get notified about performed updates. The observer callback provides info data about the finished update. The observer configuration:

val updateObserver = object : UpdateObserver {
   override fun onSuggestionUpdated(observedUpdateInfo: ObservedUpdateInfo) {
       // handle observedUpdateInfo
   }
}

The observer can be registered in UpdateManager which is accessible via the Antivirus class.

val updateManager = AppProtection.getInstance().getAntivirus().getUpdateManager()
updateManager.registerUpdateObserver(updateObserver)

When it is no longer needed, the observer can be unregistered again.

updateManager.unregisterUpdateObserver(updateObserver)

The ObservedUpdateInfo data class has the following properties:

Property Description
updateResult: UpdateResult Update result. One of SUCCESS, PARTIAL_SUCCESS, or FAILURE.
updateType: UpdateType Type of update. Either FULL or PARTIAL
checkedApps: List<String> List of apps that were checked in the update. The apps are identified by their application IDs (package names).
updatedApps: List<String> List of apps that were updated in the update. The apps are identified by their application IDs (package names).
failureReason: String? String representation of an error that occurred during processing of the update.

The performed updates can have one of these results:

UpdateResult Description
SUCCESS Successful update. All apps (that were checked in the update) were successfully updated without any error.
PARTIAL_SUCCESS Partially successful update. Some apps were successfully updated but not all of them. The update of some apps failed for some reason.
FAILURE Failed update. The update failed completely for some reason.

The performed updates can be of these types:

UpdateType Description
FULL Updates data for all apps on the device.
PARTIAL Updates data for apps that were observed as changed - newly installed or updated.

Information about Past Updates

The SDK stores some information about past updates. This information can be obtained by calling:

val antivirus = AppProtection.getInstance().getAntivirus
val updateInfo = antivirus.getUpdateManager.getLastUpdateInfo()

The UpdateInfo data class has the following properties:

Property Description
successfulUpdates: Map<UpdateType, UpdateInfoSuccess> Map of success info data for each UpdateType.
failedUpdates: Map<UpdateType, UpdateInfoFailure> Map of failure info data for each UpdateType.

Updates with the result UpdateResult.PARTIAL_SUCCESS are counted as failed updates here.

The UpdateInfoSuccess data class contains the following properties:

Property Description
lastSuccessTimestamp: Long? Unix timestamp of the last successful update, or null if there has been no successful update yet.
lastSuccessCheckCount: Int Number of checked apps in the last successful update, or 0 if there has been no successful update yet.
lastSuccessUpdatedCount: Int Number of updated apps in the last successful update, or 0 if there has been no successful update yet.

The UpdateInfoFailure data class contains the following properties:

Property Description
lastFailureTimestamp: Long? Unix timestamp of the last failed update, or null if there has been no failed update yet.
lastFailureReason: String? String representation of a failure reason of the last failed update, or null if there has been no failed update yet.

Troubleshooting with Manual Updates

Malwarelytics for Android provides API for performing manual updates. However, this API is not recommended to be used in production. It’s recommended to use the self-updating behavior of Smart Protection instead.

Manual updates should be used only in development to troubleshoot proper configuration or data inconsistencies.

A manual update can be done either full or partial. A full manual update can be performed by calling the updateSuggestions() method:

// run on a worker thread only
val updateResult = antivirus.getUpdateManager.updateSuggestions()

Full updates are throttled. The SDK allows only a limited number of full updates during a period of time.

A partial manual update can be done by calling the updateSuggestionsForApps(Collection<String>) method with a collection of app package names (application IDs):

// run on a worker thread only
val appsToUpdate = listOf("com.example.app", "com.example.anotherapp")
val updateResult = antivirus.getUpdateManager.updateSuggestionsForApps(appsToUpdate)

The update result indicates whether the update was successful. The possible result values are:

Value Meaning
UpdateResult.SUCCESS Update was successful.
UpdateResult.PARTIAL_SUCCESS Update was partially successful. Some apps couldn’t be successfully updated for some reason.
UpdateResult.FAILURE Update failed for some reason.
Last updated on Jun 19, 2024 (09:04) View product
On this page:
Search

develop

Malwarelytics for Android