react-native-malwarelytics/src/model/antivirus/ApkThreat.ts

Malwarelytics for React Native protects your banking or fintech app from a broad range of mobile security threats with an industry-leading mobile threat intelligence solution.

//
// Copyright 2023 Wultra s.r.o.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions
// and limitations under the License.
//

/**
 * An APK with analyzed threats.
 */
export interface ApkThreat {
    /** 
     * Package name (application Id) of the app posing a threat to the current app.
     */
    readonly packageName: string;
    /**
     * Threat index of the apk. Result of the correct combination of evaluated and suggested threat indexes.
     */
    readonly threatIndex: ThreatIndex;
    /**
     * Evaluated threat index indicating severity of the threat.
     */
    readonly evaluatedThreatIndex: ThreatIndex
    /**
     * Suggested threat index. If the value is `UNKNOWN` then there's no suggestion.
     */
    readonly suggestedThreatIndex: ThreatIndex
    /**
     * Optional name of malware detection. This is not bound to the thratIndex, can appear independently.
     */
    readonly malwareDetectionName?: string;
    /**
     * Set of recommended mitigations for handling the threat.
     */
    readonly mitigations: ThreatMitigation[];
    /**
     * Evaluated threat reasons marking what is dangerous about the app.
     */
    readonly reasons: ThreatReason[];
    /** 
     * Store the app was installed from (for example google play). 
     */
    readonly threatInstaller: ThreatInstaller;
    /**
     * Set of malware flags - malware types and malware families.
     */
    readonly flags: MalwareFlag[];
}

/**
 * A threat level that is posed by an app.
 *  
 * MALWARE:
 * The found threats clearly indicate that the app is a malware. 
 * 
 * HIGHLY_DANGEROUS:
 * The found threats indicate that the app is highly dangerous
 * to the current app.
 * It uses multiple potential attack vectors
 * including techniques directly targeting the current app.
 * 
 * DANGEROUS:
 * The found threats indicate that the app is dangerous
 * to the current app.
 * Is uses multiple potential attack vectors.
 * However, no technique directly targeting the current app was detected.
 * 
 * POTENTIALLY_UNWANTED_APP:
 * The found threats indicate that the app might be potentially dangerous.
 * For example it declares potentially dangerous permissions.
 * However it it quite possible that the app is legitimate.
 * 
 * SAFE:
 * There are no found threats. 
 * 
 * UNKNOWN:
 * The threat is unknown.
 * The app was probably not found.
 * In case of suggestions, there's none.
 */
export type ThreatIndex = "MALWARE" | "HIGHLY_DANGEROUS" | "DANGEROUS" | "POTENTIALLY_UNWANTED_APP" | "SAFE" | "UNKNOWN"

/**
 * Convert `ThreatIndex` type into number for the evaluation. The higher numeric value means a higher danger.
 * @param threatIndex `ThreatIndex` to convert.
 * @returns Number representing how dangerous the application is.
 */
export function threatIndexToNumber(threatIndex: ThreatIndex): number {
    switch (threatIndex) {
        case 'UNKNOWN': return 0
        case 'SAFE': return 1
        case 'POTENTIALLY_UNWANTED_APP': return 2
        case 'DANGEROUS': return 3
        case 'HIGHLY_DANGEROUS': return 4
        case 'MALWARE': return 5
    }
}

/**
 * Installer app of an apk.
 * 
 * STORE_GOOGLE_PLAY: The app was installed via Google Play
 * STORE_HUAWEI_APP_GALLERY: The app was installed via Huawei App Gallery
 * STORE_SAMSUNG_GALAXY_STORE: The app was installed via Samsung Galaxy Store
 * STORE_APTOIDE: The app was installed via Aptoide
 */
export type ThreatInstaller =  "STORE_GOOGLE_PLAY" | "STORE_HUAWEI_APP_GALLERY" | "STORE_SAMSUNG_GALAXY_STORE" | "STORE_APTOIDE"


export type ThreatMitigation = "WARNING_SCREEN" | "NOTIFICATION" | "SHOW_WEB" | "KILL_APP" |  "KILL_APP_SHOW_WEB"

/**
 * Evaluated flag for an apk threat.
 * The flag risk the other app is posing.
 * 
 * ACCESSIBILITY: Accesibility
 * SMS_ACCESS: Read sms, receive sms, notification listener
 * SCREEN_OVERRIDE: Task hijacking, screen overlay
 * INSTALLER: Can install apps
 * UNINSTALLER: Can uninstall apps
 * EVADER: Hides it's internals/function
 * OUTSIDE_GOOGLE_PLAY: Not installed via Google Play
 * CALLER: Can play with your calls, e.g. it can setup a call forwarding of your calls
 * PRELOADED_APP: The app is preloaded on the device
 * PRIVILEGED_APP: The app is privileged (system privileges)
 * DEVELOPMENT_OR_TEST: The app is debuggable
 * 
 */
export type ThreatReason = "ACCESSIBILITY" | "SMS_ACCESS" | "SCREEN_OVERRIDE" | "INSTALLER" |
                           "UNINSTALLER" | "EVADER" | "OUTSIDE_GOOGLE_PLAY" | "CALLER" |
                           "PRELOADED_APP" | "PRIVILEGED_APP" | "DEVELOPMENT_OR_TEST"

/** Flag designating malware info. */
export interface MalwareFlag {
    readonly name: string;
    readonly type: MalwareFlagType;
}

/** Type of MalwareFlag. */
export enum MalwareFlagType {
    UNKNOWN = "UNKNOWN",
    MALWARE_FAMILY = "MALWARE_FAMILY",
    MALWARE_TYPE = "MALWARE_TYPE"
}