Remote access detection with SEON's Device Intelligence SDKs

Remote Access Detection feature in SEON Device Intelligence solution is designed to identify remote access tools on devices. By monitoring the presence or usage of the most popular remote access softwares such as AnyDesk, TeamViewer, or Supremo, this feature plays a critical role in maintaining secure environments, protecting data, and ensuring compliance. Remote access software, while valuable for legitimate uses, is increasingly leveraged in cyber attacks, making detection and response essential to protect sensitive systems like banking and iGaming platforms.
 

This documentation provides a detailed guide on setting up and managing remote access detection within SEON SDK, practical scenarios for its use, and technical instructions for integration and customization. By leveraging SEON SDK’s capabilities, organizations can maintain a secure environment, mitigate unauthorized access, and meet compliance requirements effectively.

SEON SDK enables real-time detection of unauthorized remote access on platforms such as Windows, macOS, iOS, Android and browsers and apps with Device Intelligence SDKs.

• iOS & Android SDKs: Detect screen sharing and remote control activities, as well as active sessions of tools like AnyDesk and TeamViewer.
• JS SDK: Monitors for suspicious activities such as screen sharing via user behavior monitoring and interactions and identifying network signals for remote sessions.

Built on complex detection methods:

• Process Monitoring: Tracks device in real-time to detect remote access tools.
• Network Traffic Analysis: Analyse patterns in network traffic to detect signs of remote access software, including specific ports and protocols often used by these tools.
• Behaviour  Monitoring: Analyse user interactions with devices to detect remote control
  • Typing behaviour signals
  • Cursor movement
  • Touch interactions
     

The SEON SDK is engineered for detecting most common remote access tools, providing multiple accuracy levels through detailed flags. This enables clear risk differentiation, allowing teams to promptly act on high-confidence detections.

Browsers on desktop and mobile devices

In the JS SDK response the risk of RAT tools are flagged as suspicious activity under the suspicious_flag field. 

• potential_remote_interaction - Remote access detection based on user interactions behavioural signals with high accuracy in a web browser environment but relying on integration specifications and the amount of behavioural data collected.
• potential_screen_sharing - Network analysis provides medium accuracy detection. While IP addresses may be shared between devices, meeting the conditions for remote access does not always indicate an active session.
• potential_remote_control - A combined flag leveraging network analysis and behavioral signals enables the detection of active remote control sessions with high precision.

Native Applications

The SEON SDK excels in detecting screen sharing, remote control activities, and active sessions of tools like AnyDesk and TeamViewer. By monitoring device processes in real time, it promptly identifies unauthorized remote access tools to maintain security.

• Android: The response includes the is_remote_control_connected and is_screen_being_mirrored fields, providing clear indicators of remote control or screen mirroring activity.
• iOS: While full remote control (like on Android) isn’t natively supported due to Apple's privacy and security policies, if the response contains the is_screen_captured field, it signals that the screen is being actively captured.

Setup and Configuration:

• Compatibility: Verify that your SDK version meets the minimum requirements for remote access features.
  • JS SDK 6.0.0+
  • Android SDK 6.0.1+
  • iOS SDK 5.0.0+
• Integration: Enable Behavior Biometrics Data Collection within the SEON SDK settings to ensure seamless integration and accurate functionality throughout the user flow.
• Rule Configuration: Customize rules in the Scoring Engine to adjust scoring to take action on detected remote access. These rules can prioritize high-risk activities for specific user actions like login and deposit.

SEON SDK provides customizable rules to accurately assess remote access risks, enabling teams to act decisively based on detection confidence levels.

Rules for Web Applications:

• High-Risk Rule: Trigger when the suspicious_flags contains  potential_remote_control, combining behavioral signals and network analysis for precise detection of active remote control sessions.
• Medium-Risk Rule: Activate when the suspicious_flags contains potential_remote_interaction flag, based on behavioral signal analysis, which offers high accuracy when integration and data collection are optimized.
• Low-Risk Rule: Initiate when suspicious_flags contains potential_screen_sharing flag, relying on network analysis to identify potential screen sharing activities with medium accuracy.

Rules for Native Applications:

• High-Risk rule: Flagged when is_remote_control_connected (Android) equals true, ensuring detection of unauthorized remote control activity. In this case the remote_control_provider should identify the recognized remote software.
• Medium-Risk Rule: Triggered when is_screen_captured (iOS) or is_screen_being_mirrored (Android) equals true. 
  On Android, rules can be created based on behavior-based suspicious signals such as possible_vishing and possible_ongoing_call to protect against voice phishing scams.
• Low-Risk rule: On Android it is possible to identify potential remote tool existence on devices with the interfering_apps feature.

By leveraging these tailored rules, SEON SDK enables robust and adaptable detection across platforms, helping organizations maintain secure environments with granular risk management.

For assistance with SEON SDK setup or troubleshooting with Remote Access Detection, contact our support team: support@example.com