Does app anomaly detection detect malicious urls

Since web protection feature in Android blocks known malicious urls in supported web browsers only, does Bitdefender in Android do anything about it if a non web browser app tries to access a malicious url internally? Does the app anomaly detection feature detect this and block the app?

Find more posts tagged with

Accepted answers

agozob

Hi! App Anomaly Detection does not monitor URLs accessed by apps internally. Doing so would only contribute to unnecessary battery drain. App Anomaly Detection will however detect an app if let's say it accesses a URL that leads to a phishing page which is then shown to the user to deceive them, or if it downloads some malicious payload. Generally, apps contacting malicious web domains will be detected by our APK scan engine at download/install time.

It's also worth noting that Bitdefender does not block or remove apps. It only alerts the users and prompts them to take action.

Do you have any specific example of such apps in mind?

agozob

@Flexx App Anomaly Detection has nothing to to with Web Protection. The feature indeed monitors app behavior and alerts the user if it identifies potential malicious activity. My previous comment described what was purely an example scenario it can detect. Apps can load web pages in WebView components (e.g. in overlays) and use them for phishing and such. In such cases, there's nothing Web Protection can do since the web page is not opened in a supported browser (nor is any URL visible on-screen). App Anomaly Detection is able to identify such attack attempts even if the URL of the web page was never seen before.

Regarding to my statement about the APK scan engine, I was referring to the fact that APKs identified as containing known malicious links (in their assets or code, i.e.) are detected accordingly.

Lastly, the C2 servers, more often than not, have absolutely nothing to do with the sites used to spread the APKs. Usually, legitimate sharing platforms are used for such purposes. On the other hand, we do indeed check for and blacklist C2 domains during analysis.

@Sohan just like Flexx mentioned before, current limitations of AI unfortunately make it so that the answers it provides are highly dependent on how you ask the questions. While the replies it provided for your questions are not fully explanatory or exact (and in this case I don't think they should be), I believe they are accurate enough.

All comments

agozob

It's also worth noting that Bitdefender does not block or remove apps. It only alerts the users and prompts them to take action.

Do you have any specific example of such apps in mind?

Sohan

Thanks a lot @agozob for the detailed and accurate info. Is there any way that would allow Bitdefender to take the appropriate actions as well in android? Or is it restricted by Android system natively?

agozob

Unfortunately, there's no way to do that nicely. Android does not provide any API that allows 3rd party apps (such as ours) to disable or uninstall other apps.

Sohan

@agozob oh ok. Then there's no choice I guess...also when I had asked the AI helper agent , it answered me differently to my question. Could you maybe pass on that the AI needs to be corrected?

Screenshot_2025-05-13-16-55-36-76_92460851df6f172a4592fca41cc2d2e6.jpg

Screenshot attached for reference

Flexx

https://community.bitdefender.com/en/discussion/comment/353507#Comment_353507

You will need to contact Bitdefender support for this, as they may ask for additional feedback related to your case—such as what you asked the AI, how you proceeded with your query, etc. Or, they may not ask anything at all. In any case, this issue will need to go through Bitdefender support.

Kindly contact Bitdefender support by visiting https://www.bitdefender.com/consumer/support/help/

Select, How to's & Troubleshooting Bitdefender products→Troubleshooting→I don't know→Contact Support→ You will get the option of chat, call or email.

To get immediate update, make use of the chat option. Bitdefender support may require logs and will assist you in generating them.

Also, ensure you do not have any ad-blocker or privacy-blocker extensions enabled, as they might prevent the chat window from appearing.

@agozob, I have some questions regarding the information you provided in your previous comments.

App Anomaly Detection will however detect an app if let's say it accesses a URL that leads to a phishing page which is then shown to the user to deceive them, or if it downloads some malicious payload.

This doesn't seem to be the primary function of App Anomaly Detection. App Anomaly Detection functions more like a behavior blocker, similar to those found in antimalware software, if I'm not mistaken. So, if according to you, App Anomaly Detection is blocking access to phishing or malicious pages, that would mean it's working in conjunction with Bitdefender Web Protection to detect apps connecting to phishing or malicious domains.

Generally, apps contacting malicious web domains will be detected by our APK scan engine at download/install time.

Are you referring to the Bitdefender Web Protection feature? Sometimes, what happens is that a malicious or phishing link—used to download a malicious app—may not be detected by Bitdefender Web Protection feature if it isn't yet included in their database. Additionally, if a malicious app is submitted to Bitdefender malware researchers without a source URL, or if the URL is no longer functional, it may not be analyzed in that context. However, the malicious app itself might still be detected by the Bitdefender app through its local or cloud-based scanning capabilities.

So the question arises: if Bitdefender malware researchers have the malicious app but no record of the URL it was downloaded from, can’t Bitdefender malware researchers analyze which C2 (Command and Control) server the app is connecting to, and block that server through Bitdefender Web Protection? This could be done at the same time Bitdefender malware researchers create the signatures for the malicious app.

Regards

Sohan

Thanks for your input and insightful question @Flexx . Lets wait for the reply. According to me Bitdefender in android actually should have mechanisms to detect if an app is trying to or is designed to access some malicious url/domain, as it simply proves that the app is malicious itself. The AI also mentioned that Bitdefender android is capable of detecting previously unknown malicious domains (ones that aren't yet listed in the blacklist database). I wonder if that's also true?

agozob

Regarding to my statement about the APK scan engine, I was referring to the fact that APKs identified as containing known malicious links (in their assets or code, i.e.) are detected accordingly.

Sohan

@agozob Thanks for the very nice explanation. I do one more question which wasn't that clear for me. Is the web protection feature also (like the app anomaly detection feature) capable of detecting previously unknown malicious urls (like using AI, heuristics etc) ?

Flexx

https://community.bitdefender.com/en/discussion/comment/353540#Comment_353540

Thank you for the information and the correction.

Regards

agozob

Is the web protection feature also (like the app anomaly detection feature) capable of detecting previously unknown malicious urls (like using AI, heuristics etc) ?

Yes, it is. There are quite a few technologies contributing to URL detections that we have setup in our cloud, it's not just a simple blacklist.

P.S: sorry for the late reply :)

Sohan

@agozob hey no issues. Thanks for reply.

Rollamite

Rather than start a fresh thread on this, assuming bitdefender detects something, I take it it would be a case of booting to safe to uninstall then rescan?

I've had app anomaly switched on all week and it's scanned 6 times but not alerted me to anything, is this a case of false positive and nothing to worry about?

agozob

Hehe, I see you did start a fresh thread after all @Rollamite :)

For anyone who stumbles across this thread, I provided an answer to this question here:

https://community.bitdefender.com/en/discussion/comment/353781#Comment_353781

Flexx

This post has been closed to further comments.

Regards