Google said in its latest Android security and privacy report that 0.45% of all Android devices running Google Play Protect  installed potentially harmful apps (PHAs) in 2018, compared to 0.56% in 2017. This equates to a 20% year-over-year improvement. Two apps outside of this category are versions of a popular video player that mines cryptocurrency in the background without user consent. Mobile devices have been damaged by cryptocurrency mining in the past, so Google flags these apps as PHAs.

In India, by far the biggest Android market, 0.65% of all Android devices were affected by PHAs in 2018, there was a 35% drop from the previous year. For the first time, India didn’t have the highest device rate of PHAs among the top Android markets.

  • Most PHAs in India were Trojans, backdoors or hostile downloaders that downloaded more PHAs onto devices. These apps were introduced to users through supply chain attacks either in the form of pre-installed apps on new devices or OTA updates handled by untrustworthy OTA companies.
  • Pre-installed apps from the EagerFonts, Snowfox, and Chamois families were the most common.

Of the devices that exclusively used Google Play to download apps globally, only 0.08% had one or more PHAs installed in 2018, the same as in 2017. In contrast, 0.68% of devices that installed apps from outside Google Play were affected by one or more PHAs in 2018. While this number is 8 times higher than devices that exclusively used Google Play, it’s an improvement from 0.80% in 2017.

The report also said that 0.04% of all downloads from the Google Play Store in 2018 were PHAs, up from 0.02% in 2017. However, Google said this was because it had changed its methodology in 2018 by upgrading click fraud from a policy violation to a PHA, and that the “overall health of the Android ecosystem” had improved. Click fraud apps simulate clicks on advertisements without user consent. “If we remove the numbers for click fraud from these stats, the data shows that PHAs on Google Play declined by 31% year-over-year,” the report read. In contrast, 0.92% of apps installs from sources other than Google Play in 2018 were ‘potentially harmful’, compared to 1.48% in 2017. However, these numbers don’t include pre-installed apps.

Other highlights from the report

0.65% of Android devices running Lollipop had PHAs in 2018, compared to 0.55% for Marshmallow, 0.29% for Nougat, 0.19% for Oreo, and 0.18% for Pie.

In 2018, there were two notable changes to the Android threat landscape: an increase in pre-installed PHAs and backdoored SDKs (software development kits).

  • Preinstalled PHAs: Malicious actors increased their efforts to embed PHAs into the supply chain through two main entry points: new devices sold with pre-installed PHAs and over the air updates that bundle legitimate system updates with PHAs.
  • SDKs: Malicious code can be included in legitimate SDKs in various ways. Hundreds of apps were affected by backdoored code.

Of the five largest Android markets, three (India, Indonesia, Brazil) became cleaner year-over-year, one (Russia) stayed at the same level, and for one (USA) the numbers went up.

Top PHAs on Google Play in 2018

Apart from click fraud (newly included as a PHA), Trojans and backdoors, the install rates of all types of PHAs fell from 2017 to 2018.

Click fraud in Google Play

  • Click fraud installs accounted for 0.023% of all installs on Google Play during 2018.
  • Many of these came bundled with flashlight, music player or game apps as users tend to keep these daily and keep them installed.

Trojans in Google Play

  • The vast majority of Trojan apps downloaded from Google Play are from a single family called Idle Coconut, which is distributed as an SDK to legitimate developers. Apps that include this SDK double up as end points of a certain commercial VPN.
  • In 2018, Trojan apps mainly targeted India, Germany, and Turkey.

SMS fraud in Google Play

  • In 2018, about 0.003% of all app installs from Google Play were SMS fraud, the same as in 2017.
  • BreadSMS remains the largest SMS fraud family on Google Play. It targets users in Thailand almost exclusively, and subscribes the device to premium SMS content without the user’s consent.
  • In October, Google began to limit which apps are allowed to ask for SMS permissions.

Top PHAs outside Google Play in 2018

With the exception of the top PHA category (backdoors) and the new category (click fraud), all PHA categories outside Google Play saw a decline from 2017.

Backdoors outside Google Play

  • In 2018, backdoors were the most prevalent PHA category outside of Google Play.
  • They comprised 28.0% of all PHA installs and 0.26% of all app installs (up from 0.22% in 2017).
  • In 2018, backdoor apps mainly targeted devices in Russia, Brazil, Mexico, and Vietnam.
  • The spread of backdoor PHAs is attributed to a specific PHA family, Chamois. Disguised as system apps, these come pre-installed on popular devices from OEMs that didn’t carefully scan for malware. They download and install PHAs and other apps in the background.

Trojans outside Google Play

  • The prevalence of Trojans among all installed apps fell from 0.33% in 2017 to 0.23% in 2018, decreasing their rank to second.
  • Trojans now only account for 25.1% of all sideloaded PHAs.
  • Like hostile downloaders, they have many variations and aren’t from a particular family.
  • The only noteworthy Trojans are those that mine cryptocurrency without user consent.
  • As cryptocurrency prices rose dramatically at the end of 2017 and early 2018, the number of malicious actors also rose.
  • In 2018, 4 of the top 11 Trojans were cryptocurrency miners, all embedded in a video player app that is popular in India.

Hostile downloaders outside Google Play

  • In 2018, hostile downloaders made up 22.0% of all sideloaded PHAs, making this the third most prevalent category, as in 2017.
  • While this category accounted for 0.39% of all sideloaded apps in 2017, it was down to 0.20% in 2018.
  • Hostile downloaders come from legitimate third-party stores with poor security setups or fake stores that are built specifically for spreading PHAs.
  • They can be pre-installed apps that slipped through the security scans of OEMs, or plain apps that pretend to (or actually do) offer user-wanted features while downloading PHAs in the background.

Other changes in methodology

Apart from including click fraud apps in the PHA category, Google made two changes to its methodology in 2018. These are:

  • The concept of user-wanted PHAs. These apps are classified as PHAs, but are intentionally installed by users who want them for their unique capabilities. For example, power users install apps to root their device or disable security settings, such as SELinux.
  • The don’t-warn-again concept. If Google Play Protect flags apps as PHAs, users receive a warning at the time of install, allowing them to continue or cancel. If they proceed, this specific installation is removed from the metrics for PHAs used for calculating device hygiene.