talsec · martinzigrai · May 7, 2026 · May 7, 2026 · May 7, 2026 · May 7, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,47 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.0.0] - 2026-05-15
+
+- Android SDK version: 18.3.0
+- iOS SDK version: 6.14.4
+
+### Breaking
+
+- `SuspiciousAppInfo.reason` (String) renamed to `reasons` (string[])
+- Value `"blacklist"` in `reasons` renamed to `"blocklist"`
+- Removed `TalsecMalwareConfig` and `TalsecAndroidConfig.malwareConfig`
+- `SuspiciousAppDetectionConfig.malwareScanScope` and `reasonMode` are now required
+
+### Capacitor
+
+#### Added
+
+- `SuspiciousAppDetectionConfig` for malware detection configuration
+
+#### Removed
+
+- `TalsecMalwareConfig` type and `TalsecAndroidConfig.malwareConfig` field
+
+### Android
+
+#### Added
+
+- New API class `SuspiciousAppDetectionConfig` that can be used to configure malware detection
+- New API for malware detection configuration in `TalsecConfig`, see `TalsecConfig.Builder#suspiciousAppDetection`
+
+#### Fixed
+
+- Fixed `VerifyError` caused by JaCoCo bytecode instrumentation
+- Fixed a potential cause of crash in the multi-instance detector
+- Fixed Java interoperability of `ScreenProtector` methods
+- Fixed Kotlin classpath conflicts in SDK dependency resolution (Kotlin 2.0.0)
+
+#### Changed
+
+- Fine-tuned location spoofing detection
+- Modified malware incident log structure for better aggregation
+
 ## [2.5.1] - 2026-03-24
 
 - Android SDK version: 18.0.4

diff --git a/android/build.gradle b/android/build.gradle
@@ -76,5 +76,5 @@ dependencies {
     androidTestImplementation "androidx.test.ext:junit:$androidxJunitVersion"
     androidTestImplementation "androidx.test.espresso:espresso-core:$androidxEspressoCoreVersion"
 
-    implementation 'com.aheaditec.talsec.security:TalsecSecurity-Community-Capacitor:18.0.4'
+    implementation 'com.aheaditec.talsec.security:TalsecSecurity-Community-Capacitor:18.3.0'
 }
diff --git a/android/src/main/java/com/aheaditec/freerasp/FreeraspPlugin.kt b/android/src/main/java/com/aheaditec/freerasp/FreeraspPlugin.kt
@@ -9,8 +9,8 @@ import com.aheaditec.freerasp.dispatchers.ExecutionStateDispatcher
 import com.aheaditec.freerasp.dispatchers.ThreatDispatcher
 import com.aheaditec.freerasp.utils.Utils
 import com.aheaditec.freerasp.utils.getArraySafe
-import com.aheaditec.freerasp.utils.getNestedArraySafe
 import com.aheaditec.freerasp.utils.toEncodedJSArray
+import com.aheaditec.freerasp.utils.toSuspiciousAppDetectionConfig
 import com.aheaditec.talsec_security.security.api.SuspiciousAppInfo
 import com.aheaditec.talsec_security.security.api.Talsec
 import com.aheaditec.talsec_security.security.api.TalsecConfig
@@ -315,13 +315,12 @@ class FreeraspPlugin : Plugin() {
             .prod(configJson.getBool("isProd") ?: true)
             .killOnBypass(configJson.getBool("killOnBypass") ?: false)
 
-        if (androidConfig.has("malwareConfig")) {
-            val malwareConfig = androidConfig.getJSONObject("malwareConfig")
-            talsecBuilder.whitelistedInstallationSources(malwareConfig.getArraySafe("whitelistedInstallationSources"))
-            talsecBuilder.blacklistedHashes(malwareConfig.getArraySafe("blacklistedHashes"))
-            talsecBuilder.blacklistedPackageNames(malwareConfig.getArraySafe("blacklistedPackageNames"))
-            talsecBuilder.suspiciousPermissions(malwareConfig.getNestedArraySafe("suspiciousPermissions"))
+        if (androidConfig.has("suspiciousAppDetectionConfig")) {
+            talsecBuilder.suspiciousAppDetection(
+                androidConfig.getJSONObject("suspiciousAppDetectionConfig").toSuspiciousAppDetectionConfig()
+            )
         }
+
         return talsecBuilder.build()
     }
 

diff --git a/android/src/main/java/com/aheaditec/freerasp/models/CapSuspiciousAppInfo.kt b/android/src/main/java/com/aheaditec/freerasp/models/CapSuspiciousAppInfo.kt
@@ -9,7 +9,7 @@ import kotlinx.serialization.Serializable
 @Serializable
 data class CapSuspiciousAppInfo(
     val packageInfo: CapPackageInfo,
-    val reason: String,
+    val reasons: Set<String>,
     val permissions: Set<String>?
 )
 

diff --git a/android/src/main/java/com/aheaditec/freerasp/utils/Extensions.kt b/android/src/main/java/com/aheaditec/freerasp/utils/Extensions.kt
@@ -6,6 +6,10 @@ import android.util.Base64
 import android.util.Log
 import com.aheaditec.freerasp.models.CapPackageInfo
 import com.aheaditec.freerasp.models.CapSuspiciousAppInfo
+import com.aheaditec.talsec_security.security.api.MalwareScanScope
+import com.aheaditec.talsec_security.security.api.ReasonMode
+import com.aheaditec.talsec_security.security.api.ScopeType
+import com.aheaditec.talsec_security.security.api.SuspiciousAppDetectionConfig
 import com.aheaditec.talsec_security.security.api.SuspiciousAppInfo
 import com.getcapacitor.JSArray
 import kotlinx.serialization.encodeToString
@@ -50,13 +54,33 @@ internal fun JSONObject.getNestedArraySafe(key: String): Array<Array<String>> {
     return outArray.toTypedArray()
 }
 
+internal fun JSONObject.toScanScope(): MalwareScanScope {
+    val scopeType = ScopeType.valueOf(getString("scopeType"))
+    val trustedInstallSources = optJSONArray("trustedInstallSources")
+        ?.toPrimitiveArray<String>()?.toList()
+    return MalwareScanScope(scopeType, trustedInstallSources)
+}
+
+internal fun JSONObject.toSuspiciousAppDetectionConfig(): SuspiciousAppDetectionConfig {
+    val scanScope = getJSONObject("scanScope").toScanScope()
+    val reasonMode = ReasonMode.valueOf(getString("reasonMode"))
+    return SuspiciousAppDetectionConfig(
+        getArraySafe("packageNames").toSet().takeIf { it.isNotEmpty() },
+        getArraySafe("hashes").toSet().takeIf { it.isNotEmpty() },
+        getNestedArraySafe("requestedPermissions").map { it.toSet() }.toSet().takeIf { it.isNotEmpty() },
+        getNestedArraySafe("grantedPermissions").map { it.toSet() }.toSet().takeIf { it.isNotEmpty() },
+        scanScope,
+        reasonMode,
+    )
+}
+
 /**
  * Converts the Talsec's SuspiciousAppInfo to Capacitor equivalent
  */
 internal fun SuspiciousAppInfo.toCapSuspiciousAppInfo(context: Context): CapSuspiciousAppInfo {
     return CapSuspiciousAppInfo(
         packageInfo = this.packageInfo.toCapPackageInfo(context),
-        reason = this.reason,
+        reasons = this.reasons,
         permissions = this.permissions
     )
 }

diff --git a/dist/esm/api/methods/capacitor.d.ts b/dist/esm/api/methods/capacitor.d.ts
@@ -1,4 +1,4 @@
-import type { TalsecConfig, ThreatEventActions, RaspExecutionStateEventActions } from '../../types/types';
+import type { RaspExecutionStateEventActions, TalsecConfig, ThreatEventActions } from '../../types/types';
 export declare const startFreeRASP: (config: TalsecConfig, actions: ThreatEventActions, raspExecutionStateActions?: RaspExecutionStateEventActions) => Promise<{
     started: boolean;
 }>;
diff --git a/dist/esm/api/methods/capacitor.js b/dist/esm/api/methods/capacitor.js
diff --git a/dist/esm/api/methods/capacitor.js.map b/dist/esm/api/methods/capacitor.js.map
diff --git a/dist/esm/types/types.d.ts b/dist/esm/types/types.d.ts
@@ -61,21 +61,29 @@ export type TalsecAndroidConfig = {
     packageName: string;
     certificateHashes: string[];
     supportedAlternativeStores?: string[];
-    malwareConfig?: TalsecMalwareConfig;
+    suspiciousAppDetectionConfig?: SuspiciousAppDetectionConfig;
 };
 export type TalsecIosConfig = {
     appBundleId: string;
     appTeamId: string;
 };
-export type TalsecMalwareConfig = {
-    blacklistedHashes?: string[];
-    blacklistedPackageNames?: string[];
-    suspiciousPermissions?: string[][];
-    whitelistedInstallationSources?: string[];
+export type ScopeType = 'SIDELOADED_ONLY' | 'SIDELOADED_AND_SYSTEM_EXCLUDE_OEM' | 'SIDELOADED_AND_OEM' | 'SIDELOADED_AND_SYSTEM_AND_OEM' | 'ALL';
+export type ReasonMode = 'ALL' | 'HIGHEST_CONFIDENCE';
+export type ScanScope = {
+    scopeType: ScopeType;
+    trustedInstallSources?: string[];
+};
+export type SuspiciousAppDetectionConfig = {
+    packageNames?: string[];
+    hashes?: string[];
+    requestedPermissions?: string[][];
+    grantedPermissions?: string[][];
+    scanScope: ScanScope;
+    reasonMode: ReasonMode;
 };
 export type SuspiciousAppInfo = {
     packageInfo: PackageInfo;
-    reason: string;
+    reasons: string[];
     permissions?: string[];
 };
 export type PackageInfo = {

diff --git a/dist/esm/types/types.js.map b/dist/esm/types/types.js.map
diff --git a/dist/esm/utils/config.d.ts b/dist/esm/utils/config.d.ts
@@ -0,0 +1,6 @@
+import type { ScanScope, ReasonMode, SuspiciousAppDetectionConfig, TalsecAndroidConfig, TalsecConfig } from '../types/types';
+export declare const DEFAULT_SCAN_SCOPE: ScanScope;
+export declare const DEFAULT_REASON_MODE: ReasonMode;
+export declare const withDetectionDefaults: (config: SuspiciousAppDetectionConfig) => SuspiciousAppDetectionConfig;
+export declare const normalizeAndroidConfig: (androidConfig: TalsecAndroidConfig) => TalsecAndroidConfig;
+export declare const withDefaults: (config: TalsecConfig) => TalsecConfig;
diff --git a/dist/esm/utils/config.js b/dist/esm/utils/config.js