Use the Cortex XDR Agent App for Android - Learn about using Cortex XDR agent app for Android after you have installed it. - Administrator Guide - 9.0 - 9.1 - Cortex XDR Agent - Cortex XDR - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR App for Android Administrator Guide
Product
Cortex XDR Agent
Cortex XDR
Version
9.1
Creation date
2025-12-29
Last date published
2026-03-08
Category
Administrator Guide
Abstract

Learn about using Cortex XDR agent app for Android after you have installed it.

The Cortex XDR agent app for Android offers these features:

  • Scan apps, view scan history and scan results

  • View app protection status

  • Take action on malware, blocked apps, and unknown files

  • Analyze URLs

The following table explains how to use these features:

Feature

How to use it

More details

View latest events

Menu icon+Home

The Cortex XDR home page displays the latest events. To view more details about an event, tap it.

Scan installed apps

Menu icon+Scan, and then tap Scan Now

Cortex XDR scans all apps and requests verdicts for the apps.

After you install Cortex XDR for Android, scan all apps installed on the Android device. For each app Cortex XDR detects, it generates a hash for the file and requests the file verdict from Cortex XDR. If necessary, Cortex XDR queries WildFire for the verdict.

After the initial scan, Cortex XDR inspects apps immediately as they are installed, and as automated or manual scans occur. At regular intervals, Cortex XDR also rechecks all verdicts with WildFire. For unknown apps, Cortex XDR sends the unknown file to Cortex XDR for in-depth analysis.

View scan history

Menu icon+Scan, and then tap Scan history

Cortex XDR displays a history of scans, which includes the date and time the scan ran, and the number of apps identified as malware (red) or as benign (green).

Optionally, to see more details about a scan, tap the desired row in the scan history.

View scan results and protection status

Menu icon+Scan Results 

  • View a complete list of installed apps and their statuses:

    In the Related Apps area, tap All.

    By default, the Cortex XDR page orders the apps by the most recent installation date.

  • Filter apps:

    In the Related Apps area, tap the desired category (Malware, Allowed, or Pending).

  • View more details about an app:

    In the Related Apps area, scroll to the desired app and tap it.

The scan results page displays the status of anti-malware protection, a numerical summary, and a list of the apps installed on the Android endpoint. Cortex XDR automatically refreshes the summary when it discovers new apps and receives updated or changed verdicts.

The following categories are used to classify apps:

  • Malware: Cortex XDR blocks an app if the app has a Malware verdict as determined by WildFire, is blocked by a hash exception policy, or is unknown. To block unknown apps, the administrator must enable Cortex XDR to Block files with unknown verdict in the Malware Security Profile for Android endpoints. When Cortex XDR blocks an app due to a hash exception policy, Cortex XDR shows the app with a Block status.

  • Allowed: Cortex XDR allows an app to run if the app has a Benign verdict as determined by WildFire, or is signed by a trusted signer. The administrator can add signers to the allow list as part of the Malware Security Profile for Android endpoints.

  • Pending: A pending app is an app that has not yet received an official WildFire verdict. Unknown apps are allowed to run only when this feature is enabled in the Cortex XDR policy.

Take action on malware, blocked apps, and unknown files

If Cortex XDR identifies a malicious or suspicious (unknown) app, Cortex XDR prompts you with the following actions:

  • Stop: Opens the corresponding settings page of that app, where you can stop the app.

  • Uninstall: Remove the malware from the Android device. From the scan results page, go to Related Apps+Malware, and then tap the trash can icon for the app that you want to remove.

When you attempt to run a malicious app, a blocked app (as defined by a hash exception policy), or an unknown app, Cortex XDR automatically blocks the app from running according to your organization's policy. The administrator can configure Cortex XDR to treat grayware in the same way as it treats malware.

Analyze URLs

For text that includes links to URLs, select the text and share it using Android's Share option, and then share it with Cortex XDR.

Use the Cortex XDR app to check URLs for safety before you use or share them.

Cortex XDR will analyze the URL that you shared with it, and will then display the verdict, along with additional related information, depending on the verdict, such as Risk Level and Category.