Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Each application, whose specification is defined in one of the blacklists and is found on the device, is returned in the scan results.
There are three types of blacklists:
Package Name Based
Hash Based
Permission Based
You can omit a specific blacklist if you don't want to use it.
A package name blacklist contains a list of package names which you consider as suspicious (or malware).
Each application, whose package name is defined in the blacklist and is found on the device, is returned in the scan results.
If the application is flagged as suspicious, the scan result will show reason value set as blacklist.
A hash-based blacklist contains a list of SHA-256 hashes of the application APK which you consider as suspicious (or malware).
Each application, whose APK hash is defined in the blacklist and is found on the device, is returned in the scan results.
Scanning may take longer when using a hash-based blacklist, as the APK hash must be computed for each app on the device, which can be an expensive operation.
If the application is flagged as suspicious, the scan result will show reason value set as blacklist.
There are many ways how to compute the SHA-256 hash of the APK; for instance, on Unix, you can use:
A suspicious permissions list contains a list of permission lists which you consider suspicious when granted to an application.
The suspicious permissions have to be granted, not just requested by the application, for it to be considered suspicious and returned in the scan results.
Each list contains a group of permissions. For an application to be marked as suspicious, all permissions in given group must be granted:
If the application is flagged as suspicious, the scan result will show reason value set as suspiciousPermission.
To reduce the amount of false positives, we also check whether the application with suspicious permissions is installed from an untrusted installation source.
Untrusted installation source is a source that was not whitelisted using installation source whitelist. More about whitelists here.
Before starting the integration, please ensure the following steps are completed.
Integrating freeRASP into your project is essential, as it provides the foundation for all malware detection functionalities. For detailed instructions, refer to the freeRASP Integration Guide.
If you have already integrated the SDK, you can skip this step and proceed to the next section.
Malware Detection is available starting from:
freeRASP 12.0.0 on Android
freeRASP 6.8.0 on Flutter
freeRASP 3.10.0 on React Native
freeRASP 1.6.0 on Capacitor
freeRASP 6.4.0 on Cordova
This step is optional, depending on the level of detection you wish to implement. The Malware Detection feature can scan all executable applications (with the MAIN entry point defined) without any additional permissions.
If you want to extend the detection capabilities to all packages (services, daemons, ...), you have to require the android.permission.QUERY_ALL_PACKAGES in your application's Manifest file.
Be aware that this permission is a special subject to the Google Play Review process.
Malware detection is an integral part of the freeRASP SDK and is configured using the same TalsecConfig object. Malware configuration in TalsecConfig allows you to customize the behavior of the malware detection feature.
To enable malware detection, extend the configuration used during the initial integration of the SDK:
It includes the following fields:
blacklistedPackageNames
A list of package names , any app with a package name in this list will trigger a detection.
blacklistedHashes
A list of APK hashes, which will trigger a detection. These hashes typically represent known malicious app versions.
suspiciousPermissions
A list of permissions that, if granted to another app, trigger a detection. You can specify single permissions or groups of permissions that, if requested together, are flagged as suspicious.
whitelistedInstallationSource
A list of trusted sources from which apps can be installed.
Whitelists are lists that contain data about applications which should not be flagged as malware.
There are two types of whitelist:
Installation Source Based
Dynamic Package Name Based
You can omit a whitelist if you don't want to use it.
An installation source whitelist contains a list of installation sources (package names) which are considered trustworthy.
We use installation source during two checks:
standalone installation source check - any application that is installed from a source that is not whitelisted will be returned as suspicious in the scan result with the reason value set as installSource
suspicious permissions check - as mentioned in Suspicious Permissions list, while checking permissions, we also check the installation source to reduce false positives. The logic is the same as in the standalone installation source check, any application installed from a source that is not whitelisted will be considered as installed from an untrusted source.
When checking installation source, we filter out system applications to reduce the amount of false positives
com.android.vending Package name of Google Play Store
com.huawei.appmarket Package name of Huawei App Gallery
com.google.android.packageinstaller Package name of the Package Installer system app, which is responsible for managing the installation of applications on Android devices. Applications installed manually using an APK file will usually have this package name as their installation source.
unknown
Some applications might have their installation source set as null. This is considered as the installation source unknown.
This can be true for some system apps or for apps installed through ADB. During development, your applications will fall into this category.
We recommend that you whitelist the com.android.vending to not consider all applications installed from Google Play as suspicious. Make sure to whitelist also com.huawei.appmarket if you do not want to have the applications from this store flagged as well.
The dynamic package name whitelist contains package names that are considered safe and will be ignored in the scan results.
This list is dynamic, meaning you can add to it before, during, or after a scan. This is useful for handling local false positives, allowing users or the integrating application to whitelist less-known but trusted applications.
The whitelist is cleared whenever a new configuration is applied (i.e. when any blacklist is changed).
The Malware Detection scan starts automatically, without any need for initialization. It is being run asynchronously in a separate thread along with other freeRASP checks, so it has no significant impact either on the application or freeRASP checks performance.
Based on the provided blacklists, Malware Detection examines installed applications to determine if they match any configurations listed in the blacklist.
Scanning may take longer when using a hash-based blacklist, as the apk hash must be computed for each app on the device, which can be an expensive operation. More about hash-based blacklist here.
To avoid false positives, system applications are filtered out from:
Permission-based blacklist
Installation sources whitelist
and therefore won't be present in the results of scan.
The results of the scan are received using a callback mechanism from the freeRASP SDK by triggering malware callback:
Learn more about the callbacks here; see the respective platform.
After the scan is complete, freeRASP provides a result - a list of suspicious applications.
Each suspicious application in the list includes two main components:
SuspiciousAppInfo An object containing details about the application.
Reason A string explaining why the application was flagged as suspicious.
SuspiciousAppInfo object contains two properties:
packageInfo
Information about the contents of a package of the application, such as package name, version, and other relevant details.
Refers to the entire PackageInfo object.
reason
Contains String value with the information about which blacklist has been matched (for information about blacklists, see Features). Possible values are:
blacklist - if at least one of the following conditions holds for the application:
a package name has been matched with a package name in a packageNames blacklist, or
an application hash has been matched with an application hash in the hashes blacklist.
suspiciousPermission - if both of the following conditions hold for the application:
the application contains at least one of the suspicious groups of permissions, and
the application is installed from a non-whitelisted source.
installSource - if the application is installed from a non-whitelisted source.
If suspiciousPermission conditions hold as well, these take priority over the installSource for the reason value.
SuspiciousAppInfo object is composed of two variables:
packageInfo
PackageInfo - information about the contents of a package of the application, e.g., package name, version, and other relevant details.
packageInfo consists of:
packageName - type String - the name of the package. From the tag's name attribute.
appName - type String? - public name of the package, or undefined if not available. From the android:name attribute.
version - type String? - the version name of the package as specified by the tag's versionName attribute, or undefined if not available.
installerStore - type String? - the name of the package responsible for the installation, or undefined if not available.
appIcon - type String? - the icon associated with an application. Returns PNG encoded as a base64 string, or undefined if icon is not available. The icon can then be displayed:
using Image widget:
reason
type String - the information about which blocklist has been matched (for information about blocklists, see Features).
blacklist - if at least one of the following conditions holds for the application:
a package name has been matched with a package name in a packageNames blocklist,
an application hash has been matched with an application hash in the hashes blocklist.
suspiciousPermission - if both of the following conditions hold for the application:
the application contains at least one of the suspicious groups of permissions,
the application is installed from a not-whitelisted source.
installSource - if the application is installed from a not-whitelisted source.
If suspiciousPermission conditions hold as well, these take priority over the installSource for the reason value.
SuspiciousAppInfo object is composed of two variables:
packageInfo
PackageInfo - information about the contents of a package of the application, e.g., package name, version, and other relevant details.
packageInfo consists of:
packageName - type string - the name of the package. From the tag's name attribute.
appName - type string? - public name of the package, or undefined if not available. From the android:name attribute.
version - type string? - the version name of the package as specified by the tag's versionName attribute, or undefined if not available.
installerStore - type string? - the name of the package responsible for the installation, or undefined if not available.
appIcon - type string? - the icon associated with an application. Returns PNG encoded as a base64 string, or undefined if icon is not available. The icon can then be displayed:
using the standard Image component:
reason
type string - the information about which blocklist has been matched (for information about blocklists, see Features).
blacklist - if at least one of the following conditions holds for the application:
a package name has been matched with a package name in a packageNames blocklist,
an application hash has been matched with an application hash in the hashes blocklist.
suspiciousPermission - if both of the following conditions hold for the application:
the application contains at least one of the suspicious groups of permissions,
the application is installed from a not-whitelisted source.
installSource - if the application is installed from a not-whitelisted source.
If suspiciousPermission conditions hold as well, these take priority over the installSource for the reason value.
SuspiciousAppInfo object is composed of two variables:
packageInfo
PackageInfo - information about the contents of a package of the application, e.g., package name, version, and other relevant details.
packageInfo consists of:
packageName - type string - the name of the package. From the tag's name attribute.
appName - type string? - public name of the package, or undefined if not available. From the android:name attribute.
version - type string? - the version name of the package as specified by the tag's versionName attribute, or undefined if not available.
installerStore - type string? - the name of the package responsible for the installation, or undefined if not available.
appIcon - type string? - the icon associated with an application. Returns PNG encoded as a base64 string, or undefined if icon is not available. The icon can then be displayed:
using the standard img component:
reason
type string - the information about which blocklist has been matched (for information about blocklists, see Features).
blacklist - if at least one of the following conditions holds for the application:
a package name has been matched with a package name in a packageNames blocklist,
an application hash has been matched with an application hash in the hashes blocklist.
suspiciousPermission - if both of the following conditions hold for the application:
the application contains at least one of the suspicious groups of permissions,
the application is installed from a not-whitelisted source.
installSource - if the application is installed from a not-whitelisted source.
If suspiciousPermission conditions hold as well, these take priority over the installSource for the reason value.
SuspiciousAppInfo object is composed of two variables:
packageInfo
PackageInfo - information about the contents of a package of the application, e.g., package name, version, and other relevant details.
packageInfo consists of:
packageName - type string - the name of the package. From the tag's name attribute.
appName - type string? - public name of the package, or undefined if not available. From the android:name attribute.
version - type string? - the version name of the package as specified by the tag's versionName attribute, or undefined if not available.
installerStore - type string? - the name of the package responsible for the installation, or undefined if not available.
appIcon - type string? - the icon associated with an application. Returns PNG encoded as a base64 string, or undefined if icon is not available. The icon can then be displayed:
using the standard ion-img component:
reason
type string - the information about which blocklist has been matched (for information about blocklists, see Features).
blacklist - if at least one of the following conditions holds for the application:
a package name has been matched with a package name in a packageNames blocklist,
an application hash has been matched with an application hash in the hashes blocklist.
suspiciousPermission - if both of the following conditions hold for the application:
the application contains at least one of the suspicious groups of permissions,
the application is installed from a not-whitelisted source.
installSource - if the application is installed from a not-whitelisted source.
If suspiciousPermission conditions hold as well, these take priority over the installSource for the reason value.
Scanned applications are stored in a cache until all applications on the device have been scanned. Only after the entire scan is complete , the callback mechanism sends the results to the application.
For example, if the application is only open for a few seconds and only a portion of the scan is completed, the results will be available the next time the application is opened for a longer period.
If any changes are made to the configuration—such as modifying a blacklist in the TalsecConfig—the cache is cleared, and the scanning process restarts from the beginning. This ensures that all applications are re-scanned under the latest security settings.
The results can be handled in many different ways.
For example:
Logging on the back-end Collect data about found suspicious applications and potential threats (or even whitelists in case of "false positives"). However, be aware that Google considers package names as personal and sensitive information, so special requirements apply to their collection.
Blocking certain logic if a specific application (or type of application) is detected.
Showcase the results Suggest to the user that they can add the application to the whitelist or navigate them to uninstall the application.
On Android (i.e. not hybrid platforms), if you want to uninstall the application (noted below as item), you can use the following code snippet to navigate directly to the system settings where the application can be uninstalled:
freeMalwareDetection is a powerful feature designed to enhance the security of your Android application by quickly and efficiently scanning for malicious (or suspicious) applications based on various blacklists and security policies.
Customizable Blacklists Easily define and manage multiple types of blacklists to tailor malware detection to your needs.
Asynchronous Scanning Perform malware scans in the background without affecting the app's performance.
Comprehensive Details Receive detailed information on detected threats to inform users effectively.
Easy Integration Simple integration process with robust documentation and support.
freeMalwareDetection is currently supported for:
If you there is any issue, bug or question, please do not hesitate to create a GitHub issue on the respective repository or email support@talsec.atlassian.net. The GitHub is strongly preferred.
Furthermore, if you have any ideas for improvements or feature requests, either of the product or the documentation, contact us as well, we will be glad to hear your thoughts!
