Before starting the integration, please ensure the following steps are completed.

If you there is any issue, bug or question, please do not hesitate to on the respective repository or email [email protected]. The GitHub is strongly preferred.

Furthermore, if you have any ideas for improvements or feature requests, either of the product or the documentation, contact us as well, we will be glad to hear your thoughts! 🚀

Whitelists are lists that contain data about applications which should not be flagged as malware.

There are two types of whitelist:

• Installation Source Based

• Dynamic Package Name Based

Installation Source Whitelist

An installation source whitelist contains a list of installation sources (package names) which are considered trustworthy.

We use installation source during two checks:

• standalone installation source check - any application that is installed from a source that is not whitelisted will be returned as suspicious in the scan result with the reason value set as installSource

• suspicious permissions check - as mentioned in , while checking permissions, we also check the installation source to reduce false positives. The logic is the same as in the standalone installation source check, any application installed from a source that is not whitelisted will be considered as installed from an untrusted source.

Examples of Installer Package Names

• com.android.vending Package name of Google Play Store

• com.huawei.appmarket Package name of Huawei App Gallery

• com.google.android.packageinstaller Package name of the Package Installer system app, which is responsible for managing the installation of applications on Android devices. Applications installed manually using an APK file will usually have this package name as their installation source.

Setting up whitelist

Dynamic Package Name Based Whitelist

The dynamic package name whitelist contains package names that are considered safe and will be ignored in the scan results.

This list is dynamic, meaning you can add to it before, during, or after a scan. This is useful for handling local false positives, allowing users or the integrating application to whitelist less-known but trusted applications.

Setting up whitelist

Malware detection is an integral part of the freeRASP SDK and is configured using the same TalsecConfig object. Malware configuration in TalsecConfig allows you to customize the behavior of the malware detection feature.

To enable malware detection, extend the configuration used during the initial integration of the SDK:

freeMalwareDetection is a powerful SDK designed to enhance the security of your Android application by quickly and efficiently scanning for malicious (or suspicious) applications based on various blacklists and security policies.

freeMalwareDetection is currently supported for:

• Android

• Flutter

• React Native

• Kotlin Multiplatform

• Cordova

• Capacitor

Features

📌 In-App Malware Detection

Secure your Android app with quick, efficient threat scans. Detect SMS OTP Stealers, Ransomware, Fraudulent Apps, Spyware, Risky Apps, Copycats, Clipper Malware, Fake Security Apps, Keyloggers, Phishing Apps, Malware Droppers and Banking Malware.

🛜 Offline Processing – Everything Happens On-Device

All scanning and evaluation is performed directly on a device, ensuring complete functionality without the need for an internet connection. This approach enhances both reliability and privacy, as no data is transmitted or stored externally.

🛡️ Customizable Blacklists Easily define and manage to tailor malware detection to your needs.

⚡ Asynchronous Scanning Perform malware scans in the background without affecting the app's performance.

🔍 Comprehensive Details Receive detailed information on detected threats to inform users effectively.

✅ Google Play Review Compliant

Malware detection generally complies with Google Play policies without any additional involvement. Optional improved detection capabilities utilizing QUERY_ALL_PACKAGES permission (optional feature) require .

🚀 Easy Integration Simple integration process with robust documentation and support.

Everything you need to detect fraud & abuse malware

Infography

Main usage scenarios

a) Process Risky Apps in Your Business Logic (Without User Involvement)

Malware detection provides a list of suspicious apps, allowing your business logic to take appropriate action based on your objectives:

• 📊 User and device risk scoring – Assess potential threats based on detected apps.

• 🕵️ Study malware – Analyze malicious behavior to improve defenses.

• 🔒 Block some features – Restrict access to sensitive actions for security.

b) Display Malware Warning UI to Alert Users (With User Involvement)

1. Developer (during development): Define criteria for suspicious apps using blacklists and suspicious permission lists.

2. SDK (at runtime): The SDK scans the device for suspicious apps installed on the device.

3. Your app (at runtime): Display the malware warning UI to alert users and allow them to confirm the trustworthiness of the listed risky apps (or some of them).

Each application, whose specification is defined in one of the blacklists and is found on the device, is returned in the scan results.

There are three types of blacklists:

• Package Name Based

• Hash Based

Scanning

The Malware Detection scan starts automatically, without any need for initialization. It is being run asynchronously in a separate thread along with other freeRASP checks, so it has no significant impact either on the application or freeRASP checks performance.

Based on the provided blacklists, Malware Detection examines installed applications to determine if they match any configurations listed in the blacklist.

System Applications

To avoid false positives, system applications are filtered out from:

• Permission-based blacklist

• Installation sources whitelist

and therefore won't be present in the results of scan.

Processing Scan Results

Receiving Results

The results of the scan are received using a callback mechanism from the freeRASP SDK by triggering malware callback:

Result Interpretation

After the scan is complete, freeRASP provides a result - a list of suspicious applications.

Each suspicious application in the list includes two main components:

• SuspiciousAppInfo An object containing details about the application.

• Reason A string explaining why the application was flagged as suspicious.

Caching

Scanned applications are stored in a cache until all applications on the device have been scanned. Only after the entire scan is complete , the callback mechanism sends the results to the application.

For example, if the application is only open for a few seconds and only a portion of the scan is completed, the results will be available the next time the application is opened for a longer period.

If any changes are made to the configuration—such as modifying a blacklist in the TalsecConfig—the cache is cleared, and the scanning process restarts from the beginning. This ensures that all applications are re-scanned under the latest security settings.

Result Handling

The results can be handled in many different ways.

For example:

• Logging on the back-end Collect data about found suspicious applications and potential threats (or even whitelists in case of "false positives"). However, be aware that Google considers package names as , so special requirements apply to their collection.

• Blocking certain logic if a specific application (or type of application) is detected.

• Showcase the results Suggest to the user that they can add the application to the whitelist or navigate them to uninstall the application.

Tip

On Android (i.e. not hybrid platforms), if you want to uninstall the application (noted below as item), you can use the following code snippet to navigate directly to the system settings where the application can be uninstalled: