Active Call Detection

Social engineering scams pose a serious problem for today’s banking and fintech apps. Malicious actors try to trick users into sending money away or into performing other harmful activities, such as approving access to their accounts. This is often performed by direct phone calls. The actor first gains the user’s trust and then instructs him/her directly to perform a harmful action. For this reason, active call detection is an integral part of a financial app. The app can use the detection to prevent the user from doing sensitive operations while off-hook.

Malwarelytics for Apple is able to detect active calls.

Configuration

let raspConfig = AppProtectionRaspConfig(
    callDetection: SimpleDetectionConfig
    // configuration of other RASP features
)

Available values of SimpleDetectionConfig:

Value Description
.noAction indicates that an active call will not be automatically detected. A manual check is still possible.
.notify indicates that an active call will be automatically detected and the delegates will be notified via the onCallChanged(Bool) method.

Active call detection defaults to .notify.

Usage

After service creation, the active call detection feature can be accessed via AppProtectionRasp. This can be used to add a delegate or to trigger a manual active call detection check.

Observing Detection

Active call detection can trigger a certain action. To achieve that, a delegate needs to be added.

Delegate configuration:

class RaspDelegate: AppProtectionRaspDelegate {

    // other delegate code

    func onCallChanged(callDetection: CallDetection) {
        // handle active call detection
    }
}

The delegate can be added in AppProtectionRasp. When it is no longer needed, it can be removed again.

let raspDelegate = RaspDelegate()
appProtection.rasp.addDelegate(raspDelegate)
appProtection.rasp.removeDelegate(raspDelegate)

The returned CallDetection struct contains the following properties:

Property Description
isOnCall: Bool indicates whether there is an ongoing call.
isOutgoing: Bool indicates whether there is an outgoing ongoing call.
isIncoming: Bool indicates whether there is an incoming ongoing call.

Ongoing calls are reported even when the call hasn’t been connected yet. This means a ringing device is reported as an ongoing and incoming call. And dialing another device is reported as an ongoing and outgoing call.

There might be multiple ongoing calls at the same time. It’s possible to have an outgoing and an incoming call at the same time.

Triggering a Manual Check

Active call detection check can be triggered manually in AppProtectionRasp by one of two available properties. The app can either get the isOnCall property value, which gives a simple Bool answer. Or the app can get more complex data by getting the callDetection property value, which returns data in the CallDetection structure.

let isOnCall: Bool = appProtection.rasp.isOnCall
let callDetection: CallDetection = appProtection.rasp.callDetection

More information on general RASP feature configuration and usage can be found in this overview.

Last updated on May 22, 2025 (16:25) View product
Search

develop

Malwarelytics for Apple