Mention the Blacklist source when Malware connection is detected and other disclosures

[kevin0t]

While using some of the apps i saw that malware detection service has detected some connections as malware and blocked it. These apps were mostly crypto related which i had downloaded through official sources and believe are much reputable.
Therefore the chances of these connections being actually malicious is low and probably a false positive.
But it would be better if the UI mentions the source database according to which it was flagged.

I know it is not too difficult to manually do a reverse-lookup all the current 5 databases and find which database flagged it but it would have been lot easier if pcapdroid tells it right in the UI itself, so that user can double verify themselves if the ip is false positive and if to rely on that source.

Also a note in the connection page where malware ip/domain is detected "Connection is flagged and blocked according to "xyz" source , users are advised to do their research and determine if the connection is really malicious or not"

maybe put a link to a section in docs explaining possible safeguards in such situation.
This note could be important as when a user sees such notification with the 💀 symbol , they might be confused and not really understand the risks of it ,why it happened and what can they can do about it.

[emanuele-f]

Which was the domain in your case?

[kevin0t]

The domain/ip in my case is 45.128.232.77 which the robosats app was connecting to
link to robosats github is https://github.com/RoboSats/robosats/
The app primarily connects through tor and has its own tor daemon running.
should i whitelist this connection ?

[emanuele-f]

This is a common problem when an IP address is reused (e.g. Tor, or even a VPS), such false positives are expected. You should use the whitelist for such situations, after investigation

[emanuele-f]

Specifying the matching blacklist is not efficient as it would either require multiple lookups or the addition of an integer, which may grow the memory usage of some MB (due to the blacklists cardinality), so I chose not to add this.

I've improve the user experience as follows:

• Changed the notification title to "Malware detection" and moved the details to the notification text, explaining what happened

• Upon notification click, show a dialog about possible false positives and hint about checking reputation

@kevin0t what do you think?

[kevin0t]

yeah this notification prompt looks much better and is informative. You can also add a link to malware detection section in the docs , so users can fully understand its implications without needing to explain everything in the app itself.