Malware Detection

Suspicious and Risky Apps Offline Scanning

In the default configuration, all analysis runs directly on the device, with no need for network connectivity and no app inventory data leaving the device.

What Makes It Different?

Android apps ecosystem and app distribution models allow cyber attackers to create Apps (usually with strong permissions) to intervene in other apps on the devices, implementing some steps of attack vectors on Apps of our customers. Such attacks could imply malicious activities such as making or accepting calls, sending or reading SMSs, reading the content of the screen, intervening in network communications, logging the inputs of the keyboard, and many other activities. Usually, such apps are created and distributed specifically to attack the given app, so the universal database of known malware becomes inefficient due to the ease of app hash permutations and re-distribution.

The offline scanning focuses on efficient, privacy‑preserving detection:

• Smart app selection for optimized and fast scans

• Hash blocklist check: Compares app hashes against a blocklist

• Package-name blocklist check: Checks app package names against a blocklist

• Malware scan scope: Select only apps that matter for your threat model. For example, exclude ones installed from trusted stores like a Google Play, default system apps and OEM-preinstalled ones.

• Permission-based risk assessment: Evaluate both requested or granted permissions of each app and mark those using suspicious or over‑privileged combinations (e.g., read SMS, accessibility access, install packages).

• Remote configuration (optional): Update your rules remotely as your needs evolve.

Hight-Confidence Online Malware Detection

The High-Confidence configuration uses optional online App Reputation API that connects your app to an up‑to‑date malware intelligence database. This configuration is based solely on the live malware and Virus DB, significantly reducing the risk of false positives.

Result Behavior

• Only the app that is recognized as malware by the App Reputation API is flagged by the Talsec SDK.

Details

This configuration offers nearly 0% false-positive risk at the cost of security. The "Zero-Day" malware apps (unknown to the App Reputation API) are not considered harmful even if they require dangerous permissions, increasing the potential security implications. This option can be used without any additional modifications to the application logic (e.g., step-up authentication or in-app interaction with the end-user); the application can simply be blocked, with the rationale that malware is installed on the device.

High-Security Online Malware Detection

This High-Security configuration uses both permission-based assessment and an online App Reputation API to deliver the best results from a security perspective.

Result Behavior

• If the application is recognized by the App Reputation API, the Talsec SDK automatically flags it.

• If the app is unknown to the App Reputation API and requires dangerous permissions (configurable), it is also flagged by the Talsec SDK.

• If the app requires dangerous permissions but is considered benign by the App Reputation API, the app is NOT flagged by the Talsec SDK, reducing the number of false positives.

Details

This configuration combines the benefits of the App Reputation API and permission-based classification. It also protects against "Zero-Day" malware — if a brand-new, sideloaded, unknown app requires dangerous permission, the SDK will flag it.

Even with the risk of false positives being reduced by the App Reputation API, it's not eliminated entirely. Because of that, this option expects an additional layer of countermeasures (step-up authentication) or in-app interaction with the end user to confirm that the flagged application is benign. The list of suspicious applications returned by the Talsec SDK also contains a reasoning for better classification.