Malware Threat Identification
Malwarelytics for Android is capable to list and analyze apps installed on the device (both preloaded and user-installed).
Malware identification happens both locally and remotely.
The SDK contains a small engine that analyzes installed apps locally. and downloads suggestions (remote evaluations) that are provided by the backend server.
Both these information are used to evaluate the apps.
Evaluation of Apps
When smart protection is enabled, the apps are evaluated automatically.
Nevertheless, the SDK offers ways to evaluate apps manually. Apps installed on the device can be manually evaluated with simple call:
val evaluatedList = antivirus.evaluateThreats()
Returned list contains evaluated
ApkThreat instances that contain information
about the posed threats.
The SDK categorizes the threat each app potentially posses to other apps, the device and the user. Five levels of threat (threat index) are recognized:
SAFE - Apps that are harmless.
POTENTIALLY_UNWANTED_APPS - Generally harmless apps that request and utilize potentially problematic permissions or system features.
DANGEROUS - Apps that are problematic in some way but not especially harmful to other apps or the device user. Typical examples are adware, scareware, risktool or nonmalicious packed app.
HIGHLY_DANGEROUS - Apps that are dangerous and harmful but the potential damage is not that high. These apps typically utilize system resources in an undesired or annoying manner. Typical examples are riskware or hidden adwares (Hiddad).
MALWARE - Malware apps that are extremely dangerous and harmful. Typical examples are trojan, trojan-banker, backdoors or spyware.
Apps are recommended to perform some kind of mitigation when they encounter an app from the categories HIGHLY_DANGEROUS or MALWARE.
The SDK also marks some problematic features and provides some other important info about analyzed apps.
ACCESSIBILITY - The app has access to accessibility. It can see contents of other apps. Or it can perform actions on it’s own. This means it can potentially see contents of your app and perform actions in other apps without the user knowing.
SMS_ACCESS - The app has access to the contents of text messages. This is especially problematic when sensitive data such as authorization codes are delivered via SMS.
SCREEN_OVERRIDE - The app can override UI of other apps. This means it can potentially provide fake UI that imitates other apps.
INSTALLER - The app can request installation of other apps. This can potentially lead to installation of harmful apps coming outside Google Play.
UNINSTALLER - The app can request uninstallation of other apps. Malware apps can use this to get rid of obstacles such as antivirus apps. Or in combination with installer capabilities they can replace a genuine app with a fake one.
EVADER - The app tries to hide it’s code. It uses advanced techniques, such as hiding classes (including public API classes) and loading them at runtime. This technique is frequently used by malware.
OUTSIDE_GOOGLE_PLAY - The app was not installed from Google Play. This reason has a rather low significance because there are other app stores (many OEMs have their own stores) and because it can be spoofed.
CALLER - The app can play with your calls. It can e.g. setup a call forwarding of your calls.
PRELOADED_APP - The app is preloaded on the device. Informative.
PRIVILEGED_APP - The app has extended (system) privileges. Informative.
DEVELOPMENT_OR_TEST - The app is development build or it’s a test. These apps usually only appear on devices meant for development. Normally they should not be present on most end user devices. Informative.
Other Identified information
There are some other bits of information the SDK can provide.
The SDK recognizes few frequently used installers. Besides identifying Google Play installs it can identify few other popular Android stores.
In some cases SDK is able to determine the name of a detected malware family.