MalAware


What is MalAware?

The latest Psiphon Android update includes MalAware, an opt-in feature, allowing users to be notified by Psiphon if their tunneled device attempts to communicate with IP addresses or domains documented to be involved with the distribution, or function of malware.

How does Psiphon protect my device security?

Unfortunately, there are bad-actors on the internet who have designed malicious applications and web services with intentions such as stealing user data, locking up your device and data, or using your device for other purposes without your consent.

Psiphon already protects your device from sending and receiving potentially malicious traffic. Once connected to the Psiphon network, your network traffic is tunneled through Psiphon servers. These servers have been configured to identify malicious IP addresses or domains documented to be involved with the distribution, or function of malware, according to threat intelligence feeds updated daily.

When tunneled, Psiphon servers are able to block these connections, and now with MalAware, Psiphon can notify you in real-time if a malicious connection is attempted.

Diagram of the MalAware notification originating from the Psiphon servers when a Psiphon user encounters malware

If a device connected to Psiphon attempts contact with a known malware-associated IP address or domain, the user will receive a notification from our servers to the Psiphon app, indicating the detection of malware network activity, and the type of malware suspected.

Important: Psiphon is not scanning your device for malicious applications, nor is Psiphon able to remove malicious applications.

We consider User Activity Data the most sensitive category of data.
For more information on what User Activity Data is retained by Psiphon, please refer to our Privacy Policy.

What does it mean if I get a MalAware alert?

If you receive an alert in the Psiphon Android app, traffic tunneled through the Psiphon servers, contacted, or attempted to contact IP address(es) and URLs associated with known malware.

The MalAware notification will display additional information under the “Detected Malware” section, indicating the type of malware connection that was detected. To find out more about the various types of malware that can be detected, see the table below.

Malware Type Description
RAT C&C
(Async, Bit, DC,
Orcus, etc.)

Command and Control (C&C) server, family of backdoors and Trojans, usually unknowingly downloaded

(common ‘malspam’ ‘malvertisements’)

bedep family of backdoors and Trojans, usually unknowingly downloaded
(common ‘malspam’ ‘malvertisements’)
dircrypt family of backdoors and Trojans, usually unknowingly downloaded
(common ‘malspam’ ‘malvertisements’)
goz zeus / ZBOT variant, downloads (malspam)
Gozi C&C

Spyware C&C server, usually unknowingly downloaded

kraken ransomware, downloaded or engaged by another instance of malware
mirai botnet commonly used for DDoS attacks from linux boxes
murofet zeus variant (with dgs), downloads (malspam)
proslikefan backdoor, commonly spreads through removable drives, downloads
qakbot backdoor, commonly spreads through removable drives, downloads
ramnit backdoor, commonly spreads through removable drives, downloads
RedLineStealer C&C trojan spy C&C server. commonly spreads through malspam + downloads.
ServHelper trojan spy C&C server. commonly spreads through malspam + downloads.
sinkhole Historical C&C server. Should be treated as a potential or active threat.
sphinx zeus variant, injects, keylogging, FTP grabber (common ‘malspam’ ‘malvertisements’)
vawtrak networked backdoor (spam, info stealer), “crimeware as a service”

What should I do if malware is detected?

If you happen to receive a MalAware alert, be very cautious. Use a third party service to scan your device for malicious software before using it further.

There are many resources and applications available that contain additional information about prevention and mitigation of malware attacks. Security In A Box provides recommendations to protect your device from malware and what to do if malicious activity is detected.

How do I opt-in to MalAware?

After updating to the latest version of Psiphon Android, upon first launching the application you will be presented with the option to receive MalAware alerts. Select “Yes” to opt-in.

If for any reason you want to check if you are opted-in or disable alerts, you can enable MalAware by navigating to the “Options” tab under “More Options.”

How do I make the most of MalAware?

For the best performance of MalAware, use the "Tunnel all apps" option found in the Options tab under “VPN settings.” This ensures that the network activity for applications installed on your device will also be tunneled, and subject to network-level malware detection.

Disclaimer & Privacy Policy