Android is the most widely used mobile operating system in the world, which also makes it a popular target for malicious actors. To better understand Android threats, Google classifies harmful and unwanted apps into different categories. In this blog, we’ll break down these categories, explain how they work, and look at how such apps are distributed.
What is a PHA (Potentially Harmful Application)?
A Potentially Harmful Application (PHA) is Google’s term for apps that can cause harm to users, their devices, or their data. While PHAs are similar to what the security industry traditionally calls malware, the definition is slightly broader and more platform-specific.
These apps may:
Steal or misuse user data
Damage or interfere with device functionality
Perform actions without user knowledge or consent
A common example of a PHA is a root application that attempts to gain unauthorized control over the device.
PHA (Potentially Harmful Application)
Roughly- but not quite- equivalent to what industry considers malware
Apps that can harm users, users devices, users data
Like root application
MUWS (Mobile Unwanted Software)
- equivalent to annoying behaviors
- Think apps that make device less fun to use
- Like advertising spam, data collection softwares (Not sensitive data) (like apps which using MAC address to identify unique users)
Policy Violations
- Anything else that Google does not want on Google Play
- Porn, gambling, violence, copyright infringement, legal restrictions, …
PHA Categories
Backdoor:
Code that allows to execution of unwanted, potentially harmful, remote-controlled operations on a device.
Billing Fraud:
Code that automatically charges the user in an intentionally deceptive way.
Mobile billing fraud is divided into SMS fraud, Call fraud, and Toll fraud.
Call fraud is process of malware calling to a premium number. this is not anymore existence in android.
SMS fraud is like Call fraud but in SMS. In these days it’s very hard to implement because of new protections in platform.
Toll pay is a feature which is support in some countries to pay something with your phone charge bill. Toll fraud is process of abusing this feature.
Commercial Spyware
Code that transmits personal information off the device without adequate notice or consent and doesn’t display a persistent notification that is happening.
Denial of Service (DoS)
Code that, without the knowledge of the user, executes a denial-of-service (Dos) attack or is a part of a distributed DoS attack against other system and resources.
Hostile downloaders
Code that isn’t in itself potentially harmful, but downloads other PHAs.
Non-Android threat
Code that contains non-android threats.
Phishing
Codes that pretends to come from a trustworthy source, request a user’s authentication credentials, and send the data to a third-party.
Elevated Privilege Abuse
Code that compromises the integrity of the system by breaking the app sandbox, gaining elevated privilege, or changing or disabling access to core security-related functions. It’s very hard these days because platform security has lots of improvement.
Ransomware
Code that takes partial or extensive control of a device or data on a device and demands that the user make a payment or perform an action to release control.
Note:
<aside>
💡 In the android because attacker can’t do lateral movements, it’s not possible to distribute among the network. So we can say Ransomware are very rare in android.
</aside>
Rooting
Codes that roots the device. This kind of attacks are very rare these days.
Spam
Code that sends unsolicited messages to the user’s contacts or uses the device as an email spam relay.
Spyware
Code that transmits personal data of the device without adequate notice or consent.
Trojan
Code that appears to be benign, such as a game that claims only to be a game, but that performs undesirable actions against the user.
Three ways to distribute PHA
Google Play
- Default store in most countries, provides easy access to billions of devices
- At risk of being detected by Google Play Protect
Third-Party Markets & Websites
- Provide access to fewer devices than Google Play
- Less likely to be noticed by Google Play Protect
Preinstalled
- Requires supply chain compromise of some sort
- Elevated privileges make PHA powerful and resistant to removal
- Compromise hundreds of thousands or even millions of devices
<aside>
When the apks upload to google play store, immediately scanned by Google Play Protect. If the the marked as malwares, they add to machine learning algorithm of Google Play Protect.
</aside>
