PHAs, or Potentially Harmful Applications, are a type of malware that can harm users or their devices. PHAs can perform various malicious actions, such as stealing personal information, displaying unwanted ads, sending spam messages, or downloading other harmful apps without the user's consent.
Android is one of the most popular operating systems in the world, with over 3 billion active devices. However, this also makes it a target for cybercriminals who want to exploit its vulnerabilities and distribute PHAs. In this blog post, we will explore the history of Android PHAs, how they have evolved over time, and what Google is doing to protect users from them.
In August 2010, the first wild Android malware was reported by Denis Maslennikov, an employee of Kaspersky. Disguised in a media player application, FakePlayer was sending SMS messages to the numbers 3353 and 3354, with each message costing about $5. The app did not require any special permissions to run, and it was distributed through third-party websites and forums. FakePlayer was the first SMS malware that affected Google's Android operating system, and it marked the beginning of a new era of mobile threats.
The first Android PHAs appeared in 2009 in official store, shortly after the launch of the Android Market (now Google Play). These were mainly SMS Trojans and Fake Antivirus apps. SMS Trojans would send premium-rate text messages from the infected device without the user's knowledge, generating revenue for the attackers. Fake Antivirus apps would pretend to scan the device for viruses and then ask the user to pay for a fake or ineffective service.
These PHAs were relatively easy to detect and remove, as they often required the user to grant them permissions that were not related to their functionality. For example, a wallpaper app that asked for permission to send text messages was clearly suspicious. Moreover, Google introduced several security features in Android and Google Play to prevent these PHAs from spreading, such as blocking premium-rate SMS numbers, verifying app signatures, and scanning apps for malware.
In 2012, a new type of PHA emerged: Rooting PHAs. These were apps that exploited vulnerabilities in the Android system to gain root access to the device. Rooting is a process that allows users to modify the system settings and install custom ROMs or apps that are not available on Google Play. However, rooting also exposes the device to security risks, as it bypasses the Android security model and gives full control to any app that has root privileges.
Rooting PHAs would use root access to perform various malicious actions, such as installing other PHAs, displaying ads on the lock screen or notification bar, changing browser settings or bookmarks, or stealing personal data. Some Rooting PHAs would also hide themselves from the user and make it difficult to uninstall them.
Another type of PHA that became more prevalent in 2012 was Ransomware PHAs. These were apps that would lock the device or encrypt its data and then demand a ransom from the user to restore access or decrypt the data. Ransomware PHAs would often use scare tactics to trick users into paying, such as displaying fake messages from law enforcement agencies or threatening to delete the data.
These PHAs were more sophisticated and harder to detect and remove than the previous ones, as they often used encryption or obfuscation techniques to evade analysis and detection. Moreover, they often exploited social engineering or phishing methods to lure users into installing them, such as disguising themselves as legitimate apps or sending fake notifications or emails.
Google's response: Google Play Protect and SafetyNet
To combat these new threats, Google developed and improved several security solutions for Android and Google Play. One of these was Google Play Protect, a service that scans over 100 billion apps per day for malware and removes harmful apps from devices and Google Play. Google Play Protect also warns users about potentially harmful apps that are downloaded from other sources and provides them with options to uninstall or disable them.
Another solution was SafetyNet and Play integrity, a set of APIs that allow developers to check the security status of devices and apps. SafetyNet can detect if a device is rooted or compromised by malware, if an app is tampered with or contains malicious code, or if an app is trying to perform risky actions such as accessing sensitive data or sending SMS messages. Developers can use SafetyNet to prevent their apps from running on unsafe devices or block malicious apps from accessing their services.
Overview of the Play Integrity API | Google Play | Android Developers
Despite Google's efforts, Android PHAs are still evolving and posing new challenges. One of the current trends is Banking Trojans, which are apps that target users' financial information and accounts. Banking Trojans can steal credentials, intercept SMS messages, display fake login screens, or redirect transactions to fraudulent accounts. Banking Trojans often use sophisticated techniques such as overlay attacks, keylogging, screen recording, or injection attacks to bypass security measures and deceive users.
Another trend is Ad Fraud, which are apps that generate fake clicks or impressions on ads to generate revenue for the attackers. Ad Fraud apps can use various methods such as bots, proxies, emulators, or hidden webviews to create artificial traffic and inflate ad metrics. Ad Fraud apps can also harm users by consuming their battery life, data usage, or device resources.