Potentially Harmful Applications (PHAs)
Stay organized with collections
Save and categorize content based on your preferences.
Potentially Harmful Applications (PHAs) are apps that could put users, user
data, or devices at risk. These apps are often generically referred to as
malware. We've developed a range of categories for different types of
PHAs, including trojans, phishing, and spyware apps, and we are continuously
updating and adding new categories.
Potentially harmful?
There is some confusion around the ambiguity of the word potentially
when used to describe malicious apps. Google Play Protect removes apps that have
been flagged as Potentially Harmful because the app does contain malicious
behavior not because we are simply unsure if the app is harmful or not. The word
potentially is used here because malicious apps function differently depending
on a variety of variables thus an app that is harmful to one Android device
might not pose a risk at all to another Android device. For example, a device
running the latest version of Android is not affected by harmful apps which use
deprecated APIs to perform malicious behavior but a device that is still running
a very early version of Android might be at risk. Mobile billing fraud poses a
risk to devices connected to service carriers but devices which only connect to
WIFI are not affected by these apps.
Apps are flagged as a PHA if they clearly pose a risk to some or all Android
devices and users.
User-wanted PHAs
Some apps that can weaken or disable Android security features aren't
categorized as PHAs. These apps provide functionality that users want, such as
rooting the device and other development features. Even though these apps are
potentially harmful, users install them intentionally, so Google Play Protect
manages them differently than other PHAs.
When a user begins to installI an app that's classified as user-wanted,
Google Play Protect warns the user of the app's potential hazards just once. The
user can decide whether to continue with the installation. After installation,
the user-wanted classifications prevents Google Play Protect from sending
additional warnings, so there's no disruption to the user experience.
Classifications
There are several categories for classifying PHAs that help Play Protect
detect them and determine the right action to take. These categories include
malicious apps like trojans, spyware, and phishing apps, as well as user-wanted
apps. If Play Protect detects a PHA, it displays a warning. For certain
malicious apps, Play Protect automatically disables or removes the app.
When Play Protect detects that a PHA contains features from multiple
categories, it classifies the app based on the most harmful characteristics. For
example, if an app applies to both ransomware and spyware categories, the Verify
Apps message identifies it as ransomware.
You can view the current PHA categories and definitions
here.
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2024-10-31 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-10-31 UTC."],[[["\u003cp\u003ePotentially Harmful Applications (PHAs), often called malware, pose risks to users, data, or devices.\u003c/p\u003e\n"],["\u003cp\u003ePHAs are categorized by type, such as trojans or spyware, with Google Play Protect continuously updating these categories.\u003c/p\u003e\n"],["\u003cp\u003e"Potentially harmful" signifies a confirmed risk to some or all Android devices, varying based on factors like Android version.\u003c/p\u003e\n"],["\u003cp\u003eUser-wanted PHAs, like rooting apps, are acknowledged as potentially harmful but receive a single warning due to intentional installation.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Play Protect classifies PHAs into various categories to trigger appropriate actions, prioritizing the most harmful characteristics in cases of overlap.\u003c/p\u003e\n"]]],["Potentially Harmful Applications (PHAs) are apps that risk users, data, or devices. Google Play Protect flags apps with malicious behavior as PHAs, removing or disabling them based on their harm level. PHAs include trojans, spyware, and phishing apps. User-wanted apps, like those for rooting, are treated differently: a one-time warning is displayed during installation and further warnings are not displayed. PHA detection uses categories, with apps classified by their most harmful traits, such as ransomware.\n"],null,["# Potentially Harmful Applications (PHAs) are apps that could put users, user\ndata, or devices at risk. These apps are often generically referred to as\n*malware*. We've developed a range of categories for different types of\nPHAs, including trojans, phishing, and spyware apps, and we are continuously\nupdating and adding new categories.\n\n### Potentially harmful?\n\nThere is some confusion around the ambiguity of the word *potentially*\nwhen used to describe malicious apps. Google Play Protect removes apps that have\nbeen flagged as Potentially Harmful because the app does contain malicious\nbehavior not because we are simply unsure if the app is harmful or not. The word\npotentially is used here because malicious apps function differently depending\non a variety of variables thus an app that is harmful to one Android device\nmight not pose a risk at all to another Android device. For example, a device\nrunning the latest version of Android is not affected by harmful apps which use\ndeprecated APIs to perform malicious behavior but a device that is still running\na very early version of Android might be at risk. Mobile billing fraud poses a\nrisk to devices connected to service carriers but devices which only connect to\nWIFI are not affected by these apps.\n\nApps are flagged as a PHA if they clearly pose a risk to some or all Android\ndevices and users.\n\n### User-wanted PHAs\n\nSome apps that can weaken or disable Android security features aren't\ncategorized as PHAs. These apps provide functionality that users want, such as\nrooting the device and other development features. Even though these apps are\npotentially harmful, users install them intentionally, so Google Play Protect\nmanages them differently than other PHAs. \n\nWhen a user begins to installI an app that's classified as user-wanted,\nGoogle Play Protect warns the user of the app's potential hazards just once. The\nuser can decide whether to continue with the installation. After installation,\nthe user-wanted classifications prevents Google Play Protect from sending\nadditional warnings, so there's no disruption to the user experience.\n\n### Classifications\n\nThere are several categories for classifying PHAs that help Play Protect\ndetect them and determine the right action to take. These categories include\nmalicious apps like trojans, spyware, and phishing apps, as well as user-wanted\napps. If Play Protect detects a PHA, it displays a warning. For certain\nmalicious apps, Play Protect automatically disables or removes the app.\nWhen Play Protect detects that a PHA contains features from multiple\ncategories, it classifies the app based on the most harmful characteristics. For\nexample, if an app applies to both ransomware and spyware categories, the Verify\nApps message identifies it as ransomware.\n\nYou can view the current PHA categories and definitions\n[here.](/android/play-protect/phacategories)"]]