# Malware Detection
{% hint style="info" %} Premium Users: View [premium documentation here](https://docs.talsec.app/premium-integration-documentations/). {% endhint %} **Malware Detection** provides active in-app protection against both **known & zero-day malware**, ongoing **malware campaigns**, **counterfeit app clones**, and other **risky and suspicious apps** that could compromise user data or your backend services. It evaluates applications, highlights high‑risk findings, and reports them back to your mobile app for real‑time security decisions and logging. Combination of robust **on-device Offline Scanning for Suspicious and Risky Apps** with an **optional online App Reputation API** verifying findings against malware DB, allows you to balance privacy, performance, and coverage according to your risk model. *The online App Reputation API extension is fully optional: when disabled, the product works as a strictly on‑device scanner; when enabled, it upgrades your detection coverage by leveraging a live cloud malware database as an additional authoritative signal.* ## Malware Detection Configurations Comparison
| Feature | Offline Scanning | High-Confidence Online | High-Security Online | | --------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | [view details](#suspicious-and-risky-apps-offline-scanning) | [view details](#hight-confidence-online-malware-detection) | [view details](#high-security-online-malware-detection) | |

What's Detected
(Suspicious & Risky Apps Detection, Known Malware)

|

Detects suspicious and risky apps using on-device heuristics.

Suspicious and risky apps are those that haven’t been confirmed to be malicious (but they could be).

|

Detects known malware using online App Reputation API.

Known malware refers to apps that have been already confirmed by live malware DB to be malicious.

| ✅ Everything: Detects both **suspicious and risky apps** using on-device heuristics and **known malware** using App Reputation API | | **Scan using Malware DB via App Reputation API** | ❌ Offline-only | ✅ Online | ✅ Online | | **Ideal For** | The foundational layer engineered for apps needing to identify suspicious/risky apps (including zero-days) with permission-based risk scoring, hash/package blocklists, and selective scanning - all processed locally. | Recommended for set-and-forget mode for busy teams - fully automatic, no config. Leverages the App Reputation API for 0% false positives on known malware only, letting you confidently block critical actions without user friction. | Maximum protection for high-stakes environments like banking or payments. Combines API-verified malware detection with permission-based zero-day flagging. Best when you prefer highest security and can implement step-up auth or user confirmation flows. | | **Detection Method** | ✅ On-device (hash, package, permissions) | ✅ App Reputation API | ✅ App Reputation API + ✅ on-device methods | | **False Positive Risk** | Low | 0% | Very Low | | **Recommended Action** | Warning, step-up auth, user confirmation | ✅ Block, warning, step-up auth, user confirmation | ✅ Block, warning, step-up auth, user confirmation | | **Network Required** | No | Yes + Cached Results | Yes + Cached Results | | **App Selection** | Configurable filtering by installation source | Configurable filtering by installation source | Configurable filtering by installation source | | **Zero-Day Coverage** | ✅ | ❌ | ✅ | | **Hash blocklist feature** | ✅ | ✅ | ✅ | | **Package-name blocklist feature** | ✅ | ✅ | ✅ | | **Permission-based detection feature** | ✅ | ✅ | ✅ | | **Remote Config** | ✅ Optional | ✅ Optional | ✅ Optional | {% stepper %} {% step %} ### Suspicious and Risky Apps Offline Scanning In the default configuration, all analysis runs **directly on the device**, with no need for network connectivity and no app inventory data leaving the device.
#### What Makes It Different? Android apps ecosystem and app distribution models allow cyber attackers to create Apps (usually with strong permissions) to intervene in other apps on the devices, implementing some steps of attack vectors on Apps of our customers. Such attacks could imply malicious activities such as **making or accepting calls**, **sending or reading SMSs**, **reading the content of the screen**, **intervening in network communications**, **logging the inputs of the keyboard**, and many other activities. Usually, such apps are created and distributed specifically to attack the given app, **so the universal database of known malware becomes inefficient** due to the ease of app hash permutations and re-distribution. The offline scanning focuses on efficient, privacy‑preserving detection: * **Smart app selection** for optimized and fast scans * **Hash blocklist check:** Compares app hashes against a blocklist * **Package-name blocklist check:** Checks app package names against a blocklist * **Malware scan scope:** Select only apps that matter for your threat model. For example, exclude ones installed from trusted stores like a Google Play, default system apps and OEM-preinstalled ones. * **Permission-based risk assessment:** Evaluate both **requested** or **granted** permissions of each app and mark those using suspicious or over‑privileged combinations (e.g., read SMS, accessibility access, install packages). * **Remote configuration (optional):** Update your rules remotely as your needs evolve. {% endstep %} {% step %} ### Hight-Confidence Online Malware Detection The High-Confidence configuration uses optional **online App Reputation API** that connects your app to an up‑to‑date malware intelligence database. This configuration is based solely on the **live malware and Virus DB**, significantly reducing the risk of false positives. #### Result Behavior * Only the app that is recognized as malware by the App Reputation API is flagged by the Talsec SDK. #### Details This configuration offers nearly **0% false-positive risk** at the cost of security. The "Zero-Day" malware apps (unknown to the App Reputation API) are not considered harmful even if they require dangerous permissions, increasing the potential security implications. This option can be used without any additional modifications to the application logic (*e.g., step-up authentication or in-app interaction with the end-user*); the application can simply be blocked, with the rationale that malware is installed on the device. {% endstep %} {% step %} ### High-Security Online Malware Detection This High-Security configuration uses both permission-based assessment and an online App Reputation API to deliver the best results from a security perspective. #### Result Behavior * If the application is recognized by the App Reputation API, the Talsec SDK **automatically flags it**. * If the app is unknown to the App Reputation API and **requires dangerous permissions (configurable)**, it is also flagged by the Talsec SDK. * If the app requires dangerous permissions but is considered benign by the App Reputation API, the app is NOT flagged by the Talsec SDK, **reducing the number of false positives**. #### Details This configuration combines the benefits of the App Reputation API and permission-based classification. It also protects against "Zero-Day" malware — if a brand-new, sideloaded, unknown app requires dangerous permission, the SDK will flag it. Even with the risk of false positives being reduced by the App Reputation API, it's not eliminated entirely. Because of that, this option expects an additional layer of countermeasures (step-up authentication) or in-app interaction with the end user to confirm that the flagged application is benign. The list of suspicious applications returned by the Talsec SDK also contains a reasoning for better classification. {% endstep %} {% endstepper %} {% hint style="info" %} ***MalwareDetection** is the more advanced premium commercial edition, while* [***freeMalwareDetection***](https://docs.talsec.app/premium-products/product/broken-reference) *is available as a free community alternative.* For pricing information and to request a demo, visit [Talsec](https://talsec.app/). {% endhint %} ## Learn More
Cover image
Article + Demosmalware det.pnghttps://docs.talsec.app/appsec-articles/articles/android-malware-detection-sdk-for-your-app-detect-risky-and-suspicious-apps-and-known-malware
VideoUntitled 6.pnghttps://www.youtube.com/watch?v=ibexWkRIfLg