Overview

CS Security is an Android antivirus and behavioural scanner that combines trusted open source intelligence with custom proprietary systems. By default, all scanning is performed on your device, and no files are uploaded. Cloud assisted scanning is optional and only activates when you enable it.

Our encrypted VXPack includes local signature databases derived from ClamAV’s virus definitions along with the CS Security AV Database. This provides strong hybrid detection while maintaining user privacy.

Core Design

  • Privacy First, all scanning is on device unless you enable cloud assisted mode.
  • Hybrid Intelligence, combining ClamAV signatures with CS heuristics and local machine learning.
  • Lightweight Performance, powered by a native Rust engine.
  • Transparency, open technical documentation for research and inspection.

ClamAV Integration

CS Security integrates ClamAV definitions as part of its VXPack. These definitions provide thousands of verified threat signatures that assist in local analysis without requiring internet access.

How It’s Used

  • CS Security periodically updates and repackages ClamAV signatures into its VXPack format.
  • Definitions are encrypted locally and verified before loading.
  • During scans, CS Security checks byte patterns and both SHA256 and MD5 hashes against ClamAV and CS signature lists.

Open Collaboration

For transparency, we maintain our public AV Database containing definitions and release data. Developers and security researchers can explore ClamAV documentation for deeper understanding of its structure and detection logic.

How It Works

The CS Security engine processes files through several controlled steps. This section explains the general workflow used by the scanner.

1. Engine Initialization

  • The encrypted VXPack is loaded and decrypted locally.
  • Signature tables, hash maps, and machine learning models are prepared in memory.
  • The engine uses minimal resources to remain responsive during scanning.

2. Scan Modes

  • Smart Scan, balanced speed and accuracy for common directories.
  • Rapid Scan, a fast surface level scan.
  • Single File Scan, manual inspection for any file or APK.

3. Detection Layers

  1. Signature Layer, byte pattern checks using ClamAV and CS definitions.
  2. Hash Layer, comparing both SHA256 and MD5 fingerprints against known malware lists.
  3. Heuristic Layer, machine learning based behaviour analysis for APKs.

After completing all layers, the app provides a clear verdict such as Clean, Suspicious, or Malicious.

File selected Smart, Rapid, or Single file Engine initialisation VXPack decrypted Signatures and model loaded Detection layers Signatures SHA256 and MD5 hashes Heuristics and ML Verdict Clean, suspicious, or malicious

The Cloud

Cloud assisted scanning is an optional feature. When enabled, the scanner switches from offline only analysis to a combined offline and cloud assisted workflow.

How Cloud Assisted Scanning Works

When you enable the cloud assisted option, CS Security calculates the SHA256 and MD5 hashes of each file you scan. Only these two fingerprints are sent to the cloud server. No file content or personal data is uploaded.

What A Hash Is

A hash is a mathematical fingerprint of a file. Every file produces a unique fingerprint when processed through a hashing algorithm. Even a small change inside the file results in a completely different hash. This allows security systems to identify known malware quickly without transmitting the file itself.

Server Comparison

The cloud server compares the SHA256 and MD5 hashes against millions of known malware fingerprints stored in a secure database. If the server recognises the hash as malware, it sends a positive match back to the app. CS Security then immediately flags the file as malicious.

If the server does not recognise the hash, the result simply means unknown, not clean. These files are then routed to the local offline engine, which performs full checks using signatures, heuristics, and machine learning.

File selected Cloud assist on Hash calculation SHA256, MD5 Cloud lookup Compare hashes Known malware Flag immediately Not known Hash not found Offline engine Signatures, ML Verdict On device

Privacy & Safety

CS Security does not upload files during scanning. Only SHA256 and MD5 hashes are used in cloud assisted mode, and this occurs only if you enable the feature. Without cloud assisted mode enabled, the scanner remains fully offline.

  • No analytics or tracking libraries.
  • All definition updates verified with checksums before use.
  • Only structural metadata is read during scanning.

This ensures that your device remains private while retaining strong protection.

Machine Learning

CS Security includes an offline behavioural model that analyses APKs using statistical patterns taken from known benign and malicious samples. It examines permission structures, internal components, and declared behaviours to estimate risk levels.

  • Trained using diverse APK datasets.
  • No user data or telemetry are used by the model.
  • Runs entirely on device with no remote processing.

This helps detect new or modified threats that do not match known signatures.

Limitations

No security product can identify every threat. CS Security is designed to be lightweight and practical while still providing strong coverage through its layers.

  • Self modifying or encrypted payloads can bypass detection.
  • Firmware or kernel level threats fall outside the scope of app based scanners.
  • False positives may occur with heavily obfuscated software.

Best Practices

  • Keep your VXPack definitions updated.
  • Use Smart Scan regularly and Rapid Scan for quick checks.
  • Install apps from trusted sources whenever possible.

CS Security uses a hybrid approach combining ClamAV definitions and proprietary detection layers to offer strong protection while respecting user privacy.