Google removed 39 million Potentially Harmful Applications from Android in 2017

In May, 2017, Google announced the introduction of Google Play Protect on Android OS. Google Play Protect is “Google’s comprehensive security services for Android, providing powerful new protections and greater visibility into your device security.” In the same year, 2017, Google Play Protect led to identification and removal of approximately 39 million PHAs (Potentially Harmful Applications) in more than 2 billion active Android devices, according to a report of Google Security Team.

Google Play Protect provides 4 services: PHA scanning; Find My Device; Safe Browsing; Developer APIs. On PHA Scanning, Google Play Protect do a collection of mobile threat protections and removal options for downloaded PHAs including: automatic daily PHA scanning; user-initiated, on-demand scanning; scanning for threats even when the device is offline; automatically disabling or removing PHA threats; uploading new apps to the cloud for scanning. On Find My Device, Google Play Protect protects users data in case of lost or stolen devices (Formerly Android Device Manager); On Safe Browsing, Google Play Protect protects users from deceptive websites; With the Developer APIs, Google Play Protect allow APIs that allow third-party apps to use Google’s security services.

On the report, Google says that Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources. But even from the Google Play store, there are risks, and Google is using machine learning since 2016 to to help detect and classify mobile threats.

According to the security team, Google’s systems learn which apps are potentially harmful and which are safe by analyzing our entire app database. The algorithms look at hundreds of signals and compare behavior across the Android ecosystem to see if any apps are attempting anything suspicious, such as interacting with other apps on the device in unexpected ways, accessing or sharing personal data without authorization, aggressively installing apps (including PHAs), accessing phishing websites, or bypassing built-in security features. In addition to app behavior, Google Play Protect’s algorithms started analyzing where PHAs come from and how they make money in 2017. PHA developers often create apps in clusters, so these new techniques help Google to identify new PHAs more quickly.

Potentially Harmful Applications Behaviours

The PHAs (Potentially Harmful Applications) detected by Google have been classified in this document.


An application that allows the execution of unwanted, potentially harmful, remote-controlled operations on a device.

Commercial spyware

Any application that transmits sensitive information off the device without user consent and does not display a persistent notification that this is happening.

Data collection

Reclassified as Mobile Unwanted Software (MUwS). Any application that collects at least one of the following without user consent.

Denial of service

An application that, without the knowledge of the user, executes a denial-of-service attack or is a part of a distributed denial-of-service attack against other systems and resources.

Hostile downloader

An application that is not in itself potentially harmful, but downloads other potentially harmful apps.

Mobile billing fraud

An application that charges the user in an intentionally misleading way.

SMS fraud

An application that charges users to send premium SMS without consent, or tries to disguise its SMS activities by hiding disclosure agreements or SMS messages from the mobile operator notifying the user of charges or confirming subscription.

Call fraud

An application that can add charges to a user’s mobile bill by making costly calls without informing them first.

Toll fraud

An application that tricks users to subscribe or purchase content via their mobile phone bill.

Non-Android threat

An application that contains non-Android threats. These apps are unable to cause harm to the user or Android device, but contain components that are potentially harmful to other platforms.


An application that pretends to come from a trustworthy source, requests a user’s authentication credentials and/or billing information, and sends the data to a third party.

Privilege escalation

An application that compromises the integrity of the system by breaking the application sandbox, or changing or disabling access to core security-related functions.


An application that takes partial or extensive control of a device or data on a device and demands payment to release control.


A privilege escalation app that roots the device.


An application that sends unsolicited commercial messages to the user’s contact list or uses the device as an email spam relay.


An application that transmits sensitive information off the device.


An application that appears to be benign and performs undesirable actions against the user.