Anti-Malware Feature Overview

View product 2021.09 - Current Release

Anti-Malware feature of Malwarelytics for Android provides a malware detection engine that evaluates other apps that are installed on the mobile device.

Configuring Anti-Malware Component

In order to use the Anti-Malware component, it has to be configured first. It is configured via AntivirusConfig that is a part of AppProtectionConfig:

var config = AppProtectionConfig.Builder(appContext)
    .antivirusConfig(
        AntivirusConfig.Builder()
            // …
            .build()
    )
    // …
    .build()

Configuration Options

The configuration offers several items:

val antivirusConfig = AntivirusConfig.Builder()
                .useDefaultSuggestions(Boolean)
                .smartProtectionConfig(smartProtectionConfig)
                .setThreatMitigationUIConfig(threatMitigationUIConfig)
                .setForegroundServiceNotificationFactory(notificationFactory)
                .build()

Suggestions

Suggestions are backend-provided evaluations. They greatly improve limited local evaluation and help to avoid false-positives and false-negatives.

Config item useDefaultSuggestions(Boolean) tells the engine to apply list of built-in local suggestions right after the initialization. This is a very short list of suggestions that mitigate some the high profile false-positives.

Smart Protection

Smart protection is a set of automatic detection behaviours. Their configuration is defined by smartProtectionConfig(SmartProtectionConfig) config item.

They are described in more detail in section Smart Protection.

Smart Protection UI Customization

Malwarelytics for Android offers config items to change the look of its smart protection components. The UI customization of smart protection elements is done through setThreatMitigationUIConfig(ThreatMitigationUiConfig) and it’s described in section Smart Protection UI Customization.

Foreground Service Notifications

Android OS requires apps to be visible to users. In case of a background processing that means an app has to create a notification. Evaluation of other apps takes a non-zero amount of time and in some cases, it’s necessary to create such notification.

NotificationFactory is an interface for creating notifications. It’s recommended to create an implementation and provide it through setForegroundServiceNotificationFactory(NotificationFactory). Then when a notification is necessary the SDK invokes createNotification(Context) method of the provided notification factory. That way the looks of the notification is in the hands of the app developer.

Runtime Usage

After initialization the main access point for all anti-malware features is instance of Antivirus class. One can obtain it by calling:

val antivirus = appProtection.getAntivirus()

Class Antivirus provides methods for threat identification and getters for obtaining managers handling various sub-topics of anti-malware such as smart protection, suggestions and mitigations.

Smart Protection

In order to allow extra calls to smart protection there’s SmartProtectionManager that can be obtained from Antivirus instance:

val smartProtectionManager = antivirus.getSmartProtectionManager()

The manager allows the app to perform extra smart protection update. The update will be performed according to the configuration used in the SDK initialization.

val performOnlineUpdate = true
smartProtectionManager.performSingleSmartProtectionUpdate(performOnlineUpdate)

The optional argument indicates that we wish (or not) to update suggestions from the backend server to get the latest and the most precise data.

The manager also offers to change the default localization of UI components through method setCustomLocalization(String). More on the topic in section Smart Protection UI Customization.

Suggestions

In certain cases it’s handy to be able to adjust suggestions locally. You can do this through SuggestionManager which can be obtained from Antivirus instance:

val suggestionManager = antivirus.getSuggestionManager()

Then you can set suggestion for a certain app identified by its package name (application ID) and signature hash:

suggestionManager.setAppSuggestedThreatIndex(packageName, certSha1Hash, suggestedThreatIndex)

or you can set suggestion for a group off apps with the same signature hash:

suggestionManager.setCertificateSuggestedThreatIndex(certSha1Digest, suggestedThreatIndex)

Mitigations

Threat mitigations are accessible via MitigationManager that can be obtained from Antivirus instance:

val mitigationManager = antivirus.getMitigationManager()

Mitigations are described in more detail in section Malware Threat Mitigation.

Last updated on Aug 24, 2021 (19:29) View product
Search

2021.09

Malwarelytics

Malwarelytics android