Potentially Harmful Application (PHAs) Categories

There are currently 14 distinct categories of Potentially Harmful Applications (PHAs). We use these categories to define the different types of harmful apps and how we treat them.

Classifications

Backdoor

An app that allows the execution of unwanted, potentially harmful, remote-controlled operations on a device.

These operations may include behavior that would place the app into one of the other PHA categories if executed automatically. In general, backdoor is more a description of how a potentially harmful operation can occur on a device and is therefore not completely aligned with categories like billing fraud or commercial spyware.

When Google Play Protect detects a backdoor, the following warning is shown to users: "This app can allow unauthorized access to your data or device."

Billing fraud

An app that automatically charges the user in an intentionally deceptive way.

Mobile billing fraud is divided into SMS fraud, Call fraud, and Toll fraud.

SMS fraud

An app that charges users to send premium SMS without consent, or tries to disguise its SMS activities by hiding disclosure agreements or SMS messages from the mobile operator notifying the user of charges or confirming subscriptions.

Some apps, even though they technically disclose SMS sending behavior, introduce additional behavior that accommodates SMS fraud. Examples include hiding parts of a disclosure agreement from the user, making them unreadable, and conditionally suppressing SMS messages from the mobile operator informing the user of charges or confirming a subscription.

When Google Play Protect detects SMS fraud, the following warning is shown to users: "This app can add unauthorized charges to your mobile bill by sending costly SMS messages or registering for recurring charges."

Call fraud

An app that charges users by making calls to premium numbers without user consent.

When Google Play Protect detects call fraud, the following warning is shown to users: "This app can add unauthorized charges to your mobile bill by making unauthorized calls."

Toll fraud

An app that tricks users into subscribing to or purchasing content via their mobile phone bill.

Toll Fraud includes any type of billing except premium SMS and premium calls. Examples of this include direct carrier billing, wireless access point (WAP), and mobile airtime transfer. WAP fraud is one of the most prevalent types of Toll fraud. WAP fraud can include tricking users to click a button on a silently loaded, transparent WebView. Upon performing the action, a recurring subscription is initiated, and the confirmation SMS or email is often hijacked to prevent users from noticing the financial transaction.

When Google Play Protect detects a toll fraud, the following warning is shown to users: "This app can add unauthorized charges to your mobile bill by registering for recurring charges."

Commercial spyware

A commercial app that transmits personal information off the device without adequate notice or consent and doesn't display a persistent notification that this is happening.

Commercial spyware apps transmit data to a party other than the PHA provider. Legitimate forms of these apps can be used by parents to track their children. However, these apps can be used to track a person (a spouse, for example) without their knowledge or permission if a persistent notification is not displayed while the data is being transmitted.

When Google Play Protect detects commercial spyware, the following warning is shown to users: "This app can spy on you by monitoring your location or your activity on this device."

Denial of service (DoS)

An app that, without the knowledge of the user, executes a denial-of-service (DoS) attack or is a part of a distributed DoS attack against other systems and resources.

For example, this can happen by sending a high volume of HTTP requests to produce excessive load on remote servers.

When Google Play Protect detects a DoS app, the following warning is shown to users: "This app tries to attack other mobile and computer systems."

Hostile downloaders

An app that isn't in itself potentially harmful, but downloads other PHAs.

An app may be a hostile downloader if:


  • There is reasonable cause to assume that the app was created to spread PHAs and the app has downloaded PHAs or contains code that could download and install apps; or
  • At least 5% of apps downloaded by the app are PHAs with a minimum threshold of 500 observed app downloads (25 observed PHA downloads).

Major browsers and file-sharing apps aren't considered hostile downloaders as long as:

  • They don't drive downloads without user interaction; and
  • All PHA downloads are initiated by consenting users.

When Google Play Protect detects a hostile downloader, the following warning is shown to users: "This app can install potentially harmful apps without your permission."

Non-Android threat

An app that contains non-Android threats.

These apps can't cause harm to the Android user or device, but contain components that are potentially harmful to other platforms.

When Google Play Protect detects a non-Android threat, the following warning is shown to users: "This app can harm non-Android devices."

Phishing

An app that pretends to come from a trustworthy source, requests a user's authentication credentials or billing information, and sends the data to a third-party. This category also applies to apps that intercept the transmission of user credentials in transit.

Common targets of phishing include banking credentials, credit card numbers, and online account credentials for social networks and games.

When Google Play Protect detects a phishing app, the following warning is shown to users: "This app is fake. It can steal your personal data, such as banking info and passwords."

Privilege escalation

An app that compromises the integrity of the system by breaking the app sandbox, gaining elevated privileges, or changing or disabling access to core security-related functions.

Examples include:

  • An app that violates the Android permissions model, or steals credentials (such as OAuth tokens) from other apps.
  • An app that prevents its own removal by abusing device administrator APIs.
  • An app that disables SELinux.

Privilege escalation apps that root devices without user permission are classified as rooting apps.

When Google Play Protect detects a privilege escalation app, the following warning is shown to users: "This app tries to bypass Android's security protections."

Ransomware

An app that takes partial or extensive control of a device or data on a device and demands that the user make a payment or perform an action to release control.

Some ransomware apps encrypt data on the device and demand payment to decrypt the data and/or leverage the device admin features so that the app can't be removed by a typical user. Examples include:

  • Locking a user out of their device and demanding money to restore user control.
  • Encrypting data on the deveice and demanding payment, ostensibly to decrypt the data.
  • Leveraging device policy manager features and blocking removal by the user.

When Google Play Protect detects ransomware, the following warning is shown to users: "This app can disable your device or threaten to reveal personal information unless you pay money."

Rooting

A malicious privilege escalation app that roots the device.

There's a difference between non-malicious and malicious rooting apps. Non-malicious rooting apps let the user know in advance that they're going to root the device and they don't execute other potentially harmful actions that apply to other PHA categories.

Malicious rooting apps don't inform the user that they're going to root the device, or they inform the user about the rooting in advance but also execute other actions that apply to other PHA categories.

When Google Play Protect detects a malicious rooting app, the following warning is shown to users: "This app tries to bypass Android's security protections."

Spam

An app that sends unsolicited messages to the user's contacts or uses the device as an email spam relay.

When Google Play Protect detects spam, the following warning is shown to users: "This app can spam other people with unauthorized messages."

Spyware

An app that transmits personal data off the device without adequate notice or consent.

For example, transmitting any of the following information without disclosures or in a manner that is unexpected to the user is sufficient to be considered spyware:

  • Contact list
  • Photos or other files from the SD card or that aren't owned by the app
  • Content from user email
  • Call log
  • SMS log
  • Web history or browser bookmarks of the default browser
  • Information from the /data/ directories of other apps.

Behaviors that can be considered as spying on the user can also be flagged as spyware. For example, recording audio or recording calls made to the phone, or stealing app data.

When Google Play Protect detects spyware, the following warning is shown to users: "This app tries to spy on your personal data, such as SMS messages, photos, audio recordings, or call history."

Trojan

An app that appears to be benign, such as a game that claims only to be a game, but that performs undesirable actions against the user.

This classification is usually used in combination with other PHA categories. A trojan has an innocuous app component and a hidden harmful component. For example, a game that sends premium SMS messages from the user's device in the background and without the user's knowledge.

When Google Play Protect detects a trojan, the following warning is shown to users: "This app is fake. It tries to take over your device or steal your data."

Uncommon

New and rare apps can be classified as uncommon if Google Play Protect doesn’t have enough information to clear them as safe. This doesn’t mean the app is necessarily harmful, but without further review it can’t be cleared as safe either.

When Google Play Protect detects an uncommon app, the following warning is shown to the user: “Play Protect doesn't recognize this app's developer. Apps from unknown developers can sometimes be unsafe.”


Mobile unwanted software (MUwS)

Google defines unwanted software (UwS) as apps that aren’t strictly malware, but are harmful to the software ecosystem. Mobile unwanted software (MUwS) impersonates other apps or collects at least one of the following without user consent:

  • Device phone number
  • Primary email address
  • Information about installed apps
  • Information about third-party accounts

MUwS is described in the PHA cassifications but is tracked separately from all other PHA categories. The section below describes the different categories of MUwS.

Mobile Unwanted Software categories

Data collection

An app that collects and transmits personal data without adequate notice or consent. This may include collecting the list of installed apps, the device phone number, email addresses or other third-party account IDs, or other personal information.

When Google Play Protect detects data collection, the following warning is shown to users: "This app can collect data that could be used to track you."

Impersonation

An app that pretends to be another app with the intention of deceiving users into performing actions that the user intended for the original trusted app.

When Google Play Protect detects impersonation, the following warning is shown to users: "This app looks like another app and can trick you into exposing personal data, misusing your device, or installing other apps."

Disruptive ads

An app that shows ads that are displayed to users in unexpected ways including impairing or interfering with the usability of device functions, or displaying outside the triggering app’s environment without adequate consent and attribution.

When Google Play Protect detects disruptive ads, the following warning is shown to users: “This app may display ads with unexpected behaviours (e.g., outside of the app environment, cannot be easily dismissed, or interfering with device functionality).”