Antivirus Module

The Antivirus module is currently supported only on the Android platform. Therefore, before you start using it, ensure that the functionality is supported on the platform:

// The rest of this document will use the `antivirus` constant in the examples.
const antivirus = Malwarelytics.sharedInstance.antivirus;
if (!antivirus.isSupported) {
    throw new Error("Antivirus is not supported on this platform")
}

If Antivirus is available, then you can optionally test whether it’s enabled:

if (!await antivirus.isEnabled()) {
    throw new Error("Antivirus is not enabled, check your config");
}

The antivirus is by default enabled, but you can disable it in the configuration.

Evaluate threats

To get the list of all applications with evaluated threat index use:

const threats = await antivirus.getThreatList();
threats.forEach((threat) => {
    const ti = threat.threatIndex;
    if (ti == 'HIGHLY_DANGEROUS' || ti == 'MALWARE') {
        console.log(`App ${threat.packageName} is ${ti}`);
    }
});

The function above will return all apks installed on the system. To get the filtered list by minimum threat index, use:

const threats = await antivirus.getFilteredThreatList('DANGEROUS');
threats.forEach((threat) => {
    console.log(`App ${threat.packageName} is ${threat.threatIndex}`);
});

You can get more information from the list, such as detected Malware names. Check the ApkThreat interface for more details.

Threat levels

The following threat index levels are defined:

  • MALWARE
    • The found threats indicate that the app is malware.
  • HIGHLY_DANGEROUS
    • The found threats indicate that the app is highly dangerous to the current app. It uses multiple potential attack vectors including techniques directly targeting the current app.
  • DANGEROUS
    • The found threats indicate that the app is dangerous to the current app. It uses multiple potential attack vectors. However, no technique directly targeting the current app was detected.
  • POTENTIALLY_UNWANTED_APP
    • The found threats indicate that the app might be potentially dangerous. For example, it declares potentially dangerous permissions. However, it is quite possible that the app is legitimate.
  • SAFE
    • There are no found threats.
  • UNKNOWN
    • The threat is unknown. The app was probably not found. In the case of suggestions, there are none.

Listen to App Changes

The app can listen to changes in installed applications (and changes in app threats) - app installs, updates, and uninstalls. To listen to these events, you have to register a listener that implements the MalwarelyticsAndroidApkThreatListener.

await Malwarelytics.sharedInstance.antivirus.setApkThreatListener({
  onInstallDetected(apkThreat: ApkThreat): void {
    console.log(`App install observed: ${JSON.stringify(apkThreat)}`)
  }

  onUpdateDetected(apkThreat: ApkThreat): void {
    console.log(`App update observed: ${JSON.stringify(apkThreat)}`)
  }

  onUninstallDetected(packageName: string): void {
    console.log(`App uninstall observed: ${JSON.stringify(packageName)}`)
  }
});

To remove the previously set listener, use the following code:

Malwarelytics.sharedInstance.antivirus.removeApkThreatListener();

Listen to Suggestion Updates

App evaluation data obtained from the remote server are called suggestions. These data are automatically updated in the background. An app can listen to these updates.

To listen to suggestion updates, you have to register a listener that implements the MalwarelyticsAndroidUpdateListener interface.

await Malwarelytics.sharedInstance.antivirus.setUpdateListener({
  onSuggestionUpdated(info: ObservedUpdateInfo): void {
    console.log(`Update info observed: ${JSON.stringify(info)}`)
  }
});

To remove the previously set listener, use the following code:

Malwarelytics.sharedInstance.antivirus.removeUpdateListener();

Getting the Last Update Info

The antivirus API offers a method for obtaining information about the last updates.

Performed updates are of two types:

  • FULL - Suggestions for all apps were updated.
  • PARTIAL - Suggestions for only some apps were updated.

For each of these types of updates, the data contains info about the latest successful and failed updates.

The data can be obtained by using the following code:

let updateInfo = await Malwarelytics.sharedInstance.antivirus.getLastUpdateInfo();

Trigger Smart Protection Update

To trigger a Smart Protection update and evaluation use the following code:

const onlineUpdate = true;
const result = await antivirus.triggerSmartProtection(onlineUpdate);
if (!result.onlineUpdateSucceeded) {
    console.log('Update from server failed');
}
if (!result.evaluationSucceeded) {
    console.log('Evaluation failed');
}
if (result.uiDisplayed) {
    // Smart Protection screen is now displayed
}

The operation above might result in displaying a UI (based on the found threats). Note that the UI will be displayed (if the config allows it) after a small delay. That’s because the method performs update and evaluation first.

If you want to change the visual style of the displayed UI then follow the instructions in the Configuration of the Antivirus UI for Android document.

Change language

// Change the language used in the Smart Protection UI
await antivirus.setCustomLocalization('cs');
// Change back to the default language
await antivirus.setCustomLocalization(undefined);
// Get the current language
const currentLanguage = await antivirus.getCustomLocalization();
Last updated on May 27, 2024 (10:25) View product
Search

1.1.x

Malwarelytics for React Native