# How Our Partnership With Gen Digital Enabled Malware Detection v2 Powered by Avast and Norton DBs

The Talsec SDK just received the **Malware Detection v2** update that allows you to move from "*This app looks suspicious*" to "*This app is malicious,*" enabling app developers to block access on truly infected devices. Our community has been requesting the ability to automate security enforcement without the fear of blocking legitimate customers for a long time and there’s a story behind it.

Beyond our core mobile security RASP territory (root detection, Frida detection, app integrity checks, etc.) we’ve always wanted to master malware detection field to match our deepest understanding of Android risks. Our Malware Detection (v1) engine has been in the field since that early era, utilizing heuristics to flag suspicious properties like dangerous permissions or untrusted sources. It has been highly effective at uncovering zero-day threats, but it was essentially the 'Chapter One' that we’ve finally been able to complete with v2.

*See the v2 product page to learn features and use-cases:* [*https://docs.talsec.app/premium-products/product/malware-detection*](https://docs.talsec.app/premium-products/product/malware-detection)

<figure><img src="https://1548930415-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNjTFXsqCLQ3RU2oA2uHC%2Fuploads%2Ft6AVQy85i1o9IXkea30G%2FMDv2%20CTO.png?alt=media&#x26;token=b83bf367-96d3-49ca-aab1-f7076a0a9fc6" alt=""><figcaption></figcaption></figure>

#### The Malware Database Challenge

A few years ago, when we first started working on our Malware Detection extension, we realized we were at a crossroads. We could take the heuristic route (which we did)—identifying zero-day attacks by flagging apps requesting SMS permissions via ADB or holding `REQUEST_INSTALL_PACKAGES`. This remains vital for catching evolving malware that hasn't been indexed yet.

The alternative was a malware database (DB) approach. We tried to bridge this gap by engaging with the security community and major players, but at the time, access to the world’s leading threat intelligence providers was simply out of reach for a specialized team like ours.

*I even found an artifact in my desk drawer the other day: a dusty 2TB HDD with a "Nuclear Danger" sticker, holding a static snapshot of a malware database from that era. The millions of hashes on that drive have almost zero value today, but it’s a reminder of what we wanted to build but couldn’t yet scale:*

<figure><img src="https://1548930415-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNjTFXsqCLQ3RU2oA2uHC%2Fuploads%2FaWkwtQH3gG8eYjxGei70%2F20260420_133858.jpg?alt=media&#x26;token=e0b1386d-15f1-4027-992e-55261f3fc2e7" alt=""><figcaption><p>Note to future self: Don't leave malware hard drives lying around the office. 🙃</p></figcaption></figure>

#### Partnership with Gen Digital & The Birth of v2

This year, as the demand for a real-time malware database became undeniable, everything fell into place. Through a mix of luck and persistence, our team connected with a true titan in threat intelligence: **Gen Digital,** the powerhouse behind **Avast, Norton, and Avira**. The Gen operates a global, cloud-based system that classifies files in real time. Behind it there’s an online database containing hundreds of millions of file metadata and a set of innovative algorithms that help decide if a file is potentially dangerous. Their API allows the Talsec SDK to verify app hashes and receive a classification in milliseconds.

<figure><img src="https://1548930415-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNjTFXsqCLQ3RU2oA2uHC%2Fuploads%2FRxACXmVRmaZugkSL5Wvm%2FGen-Family-Lockup-Horizontal-Stacked-Light-RGB-Web.png?alt=media&#x26;token=75be5d53-8695-49f9-b1c4-55994e937c01" alt=""><figcaption><p><em>The Gen, Norton and Avast logos are the property of Gen Digital Inc. and are used here solely for reference and identification purposes. src:</em> <a href="https://www.gendigital.com/us/en/">https://www.gendigital.com/us/en/</a></p></figcaption></figure>

Suddenly, the state-of-the-art malware intelligence we had been striving for was accessible. With this level of intelligence finally at our fingertips, the team started coding immediately. We rewired the internals of our SDK Malware Detection engine to allow for live, online malware checks. After a total engine overhaul and rigorous testing, we introduced Malware Detection v2. It’s no longer a choice between heuristics and databases—it’s a hybrid framework that addresses both known and unknown threats.

You now have granular control:

* **Offline Mode:** Stick to the classic heuristic scanning for privacy or offline-first needs.
* **High-Confidence Online Mode:** Check against a live global database to identify known malware with near-zero false positives.
* **High-Security Online Model:** The recommended setup for high-stakes environments like banking or payments. This combines API-verified detection with permission-based zero-day flagging.

#### Wrapping up: Defending Against Malware Threats

Finally, the Talsec SDK is equipped well to identify all kinds of high-risk apps. RATs & banking trojans causing session hijacking or credential theft. Accessibility misuse malware performing unauthorized screen reading/clicks. Keyloggers & SMS Forwarders. Video injection tools utilized for KYC fraud. Or common tools like TeamViewer or AnyDesk that are often exploited for remote assistance fraud.

*See the Talsec Malware Detection SDK in action. These demos that I recorded some time ago showcase how the SDK identifies specific threats in real-time on Android devices:*

* *Keyloggers Detection Demo*: <https://youtu.be/ibexWkRIfLg?si=8uHwyc70LGeWrACh&t=844>
* *Remote Access Tools Detection Demo*: <https://youtu.be/ibexWkRIfLg?si=ykiAXJaBL5ApVrwe&t=1095>
* *SMS Forwarders Detection Demo*: <https://youtu.be/ibexWkRIfLg?si=Gyv8BLqj0hqV3DPs&t=1237>[​](https://www.google.com/search?q=https://youtu.be/ibexWkRIfLg%3Fsi%3DGyv8BLqj0hqV3DPs%26t%3D1237%E2%80%8B)
* *Screen Readers Detection Demo*: <https://youtu.be/ibexWkRIfLg?si=s_WuVrKSinyMHnO6&t=1332>[​](https://www.google.com/search?q=https://youtu.be/ibexWkRIfLg%3Fsi%3Ds_WuVrKSinyMHnO6%26t%3D1332%E2%80%8B)

Some of you are already running this in your apps. If you are, I’d love to hear your thoughts in the comments. For everyone else: let us know if you want to see a demo.

<figure><img src="https://1548930415-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNjTFXsqCLQ3RU2oA2uHC%2Fuploads%2FuqRCsqrG1fyGmIHuvScg%2FScreenshot%202026-04-20%20at%2014.20.59.png?alt=media&#x26;token=a49da422-88be-4cf1-a88e-4a074b8f0afd" alt=""><figcaption><p>Typical malware: Sideloaded, has suspicious permissions and is confirmed to be malicious by online DB</p></figcaption></figure>

Happy Hacking to all Talsec friends :thumbsup: !

*written by Tomas Soukal, Talsec Team*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.talsec.app/appsec-articles/articles/how-our-partnership-with-gen-digital-enabled-malware-detection-v2-powered-by-avast-and-norton-dbs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.