The latest Psiphon Android update includes MalAware, an opt-in feature, allowing users to be notified by Psiphon if their tunneled device attempts to communicate with IP addresses or domains documented to be involved with the distribution, or function of malware.
Unfortunately, there are bad-actors on the internet who have designed malicious applications and web services with intentions such as stealing user data, locking up your device and data, or using your device for other purposes without your consent.
Psiphon already protects your device from sending and receiving potentially malicious traffic. Once connected to the Psiphon network, your network traffic is tunneled through Psiphon servers. These servers have been configured to identify malicious IP addresses or domains documented to be involved with the distribution, or function of malware, according to threat intelligence feeds updated daily.
When tunneled, Psiphon servers are able to block these connections, and now with MalAware, Psiphon can notify you in real-time if a malicious connection is attempted.
If a device connected to Psiphon attempts contact with a known malware-associated IP address or domain, the user will receive a notification from our servers to the Psiphon app, indicating the detection of malware network activity, and the type of malware suspected.
Important: Psiphon is not scanning your device for malicious applications, nor is Psiphon able to remove malicious applications.
We consider User Activity Data the most sensitive category of data.
For more information on what User Activity Data is retained by Psiphon, please refer to our Privacy Policy.
If you receive an alert in the Psiphon Android app, traffic tunneled through the Psiphon servers, contacted, or attempted to contact IP address(es) and URLs associated with known malware.
The MalAware notification will display additional information under the “Detected Malware” section, indicating the type of malware connection that was detected. To find out more about the various types of malware that can be detected, see the table below.
| Malware Type | Description |
|---|---|
| RAT C&C (Async, Bit, DC, Orcus, etc.) |
Command and Control (C&C) server, family of backdoors and Trojans, usually unknowingly downloaded (common ‘malspam’ ‘malvertisements’) |
| bedep | family of backdoors and Trojans, usually unknowingly downloaded (common ‘malspam’ ‘malvertisements’) |
| dircrypt | family of backdoors and Trojans, usually unknowingly downloaded (common ‘malspam’ ‘malvertisements’) |
| goz | zeus / ZBOT variant, downloads (malspam) |
| Gozi C&C |
Spyware C&C server, usually unknowingly downloaded |
| kraken | ransomware, downloaded or engaged by another instance of malware |
| mirai | botnet commonly used for DDoS attacks from linux boxes |
| murofet | zeus variant (with dgs), downloads (malspam) |
| proslikefan | backdoor, commonly spreads through removable drives, downloads |
| qakbot | backdoor, commonly spreads through removable drives, downloads |
| ramnit | backdoor, commonly spreads through removable drives, downloads |
| RedLineStealer C&C | trojan spy C&C server. commonly spreads through malspam + downloads. |
| ServHelper | trojan spy C&C server. commonly spreads through malspam + downloads. |
| sinkhole | Historical C&C server. Should be treated as a potential or active threat. |
| sphinx | zeus variant, injects, keylogging, FTP grabber (common ‘malspam’ ‘malvertisements’) |
| vawtrak | networked backdoor (spam, info stealer), “crimeware as a service” |
If you happen to receive a MalAware alert, be very cautious. Use a third party service to scan your device for malicious software before using it further.
There are many resources and applications available that contain additional information about prevention and mitigation of malware attacks. Security In A Box provides recommendations to protect your device from malware and what to do if malicious activity is detected.
After updating to the latest version of Psiphon Android, upon first launching the application you will be presented with the option to receive MalAware alerts. Select “Yes” to opt-in.
If for any reason you want to check if you are opted-in or disable alerts, you can enable MalAware by navigating to the “Options” tab under “More Options.”
For the best performance of MalAware, use the "Tunnel all apps" option found in the Options tab under “VPN settings.” This ensures that the network activity for applications installed on your device will also be tunneled, and subject to network-level malware detection.
