Blacklists

Each application, whose specification is defined in one of the blacklists and is found on the device, is returned in the scan results.

There are three types of blacklists:

Package Name Based
Hash Based
Permission Based

You can omit a specific blacklist if you don't want to use it.

Package Name Based Blacklist

A package name blacklist contains a list of package names which you consider as suspicious (or malware).

Each application, whose package name is defined in the blacklist and is found on the device, is returned in the scan results.

If the application is flagged as suspicious, the scan result will show reason value set as blacklist.

Setting up blacklist

TalsecConfig config = new TalsecConfig.Builder(context.getPackageName(), new String[] {CERTIFICATE_HASH})
        .blacklistedPackageNames(new String[]{"com.example.app"})
        .build();

final config = TalsecConfig(
  androidConfig: AndroidConfig(
    malwareConfig: MalwareConfig(
      blacklistedPackageNames: ['com.example.app'],
    ),
    // Other config data
  ),
  // Other config data
);

Hash Based Blacklist

A hash-based blacklist contains a list of SHA-256 hashes of the application APK which you consider as suspicious (or malware).

Each application, whose APK hash is defined in the blacklist and is found on the device, is returned in the scan results.

Scanning may take longer when using a hash-based blacklist, as the APK hash must be computed for each app on the device, which can be an expensive operation.

If the application is flagged as suspicious, the scan result will show reason value set as blacklist.

Setting up blacklist

TalsecConfig config = new TalsecConfig.Builder(context.getPackageName(), new String[] {CERTIFICATE_HASH})
        .blacklistedHashes(new String[]{"exampleHash"})
        .build();

final config = TalsecConfig(
  androidConfig: AndroidConfig(
    malwareConfig: MalwareConfig(
      blacklistedHashes: ['exampleHash'],
    ),
    // Other config data
  ),
  // Other config data
);

Calculating Hash of the APK

There are many ways how to compute the SHA-256 hash of the APK; for instance, on Unix, you can use:

shasum -a 256 yourfile.apk

Suspicious Permissions list

A suspicious permissions list contains a list of permission lists which you consider suspicious when granted to an application.

The suspicious permissions have to be granted, not just requested by the application, for it to be considered suspicious and returned in the scan results.

Each list contains a group of permissions. For an application to be marked as suspicious, all permissions in given group must be granted:

// Blacklist of permissions
[
    // List (group) of permissions
    // Application is suspicious if it has *GRANTED* all of permissions from 
    // given group
    ["android.provider.Telephony.SMS_RECEIVED", "android.permission.SEND_SMS"]
    ["android.permission.READ_CALL_LOG"]
]

If the application is flagged as suspicious, the scan result will show reason value set as suspiciousPermission.

To reduce the amount of false positives, we also check whether the application with suspicious permissions is installed from an untrusted installation source.

Untrusted installation source is a source that was not whitelisted using installation source whitelist. More about whitelists here.

Setting up suspicious permissions list

TalsecConfig config = new TalsecConfig.Builder(context.getPackageName(), new String[][] {CERTIFICATE_HASH})
        .suspiciousPermissions(new String[][]{{"android.permission.ACCESS_COARSE_LOCATION"}})
        .build();

final config = TalsecConfig(
  androidConfig: AndroidConfig(
    malwareConfig: MalwareConfig(
      suspiciousPermissions: [
        ['android.permission.ACCESS_COARSE_LOCATION']
      ],
    ),
    // Other config data
  ),
  // Other config data
);

const config = {
  androidConfig: {
    malwareConfig: {
      suspiciousPermissions: [
        ['android.permission.ACCESS_COARSE_LOCATION']
      ],
    },
    // Other config data
  }
  // Other config data
}

const config = {
  androidConfig: {
    malwareConfig: {
      suspiciousPermissions: [
        ['android.permission.ACCESS_COARSE_LOCATION']
      ],
    },
    // Other config data
  }
  // Other config data
}

const config = {
  androidConfig: {
    malwareConfig: {
      suspiciousPermissions: [
        ['android.permission.ACCESS_COARSE_LOCATION']
      ],
    },
    // Other config data
  }
  // Other config data
}

PreviousDetection Handling NextWhitelists

Last updated 11 months ago

hashtagPackage Name Based Blacklist

hashtagSetting up blacklist

hashtagHash Based Blacklist

hashtagSetting up blacklist

hashtagCalculating Hash of the APK

hashtagSuspicious Permissions list

hashtagSetting up suspicious permissions list

Package Name Based Blacklist

Setting up blacklist

Hash Based Blacklist

Setting up blacklist

Calculating Hash of the APK

Suspicious Permissions list

Setting up suspicious permissions list