All about PHAs and how they impact your enterprise cyber risk

file 3 RiskXchange The leader in Third-Party Cyber Risk Management

RiskXchange can ensure organisations around the world can pinpoint and tackle the threats posed by PHAs.

Potentially Harmful Applications (PHAs) are Android apps that put devices, users, user data and entire companies at risk. These apps are often referred to as malware and the data extracted through them can cause a great deal of damage to an organisation. There is also a growing trend for pre-installed PHAs which security companies often investigate, and reports have found they pose significant risk.

As the use of mobile devices become widespread, cyber criminals are targeting smartphones to gain access to banking information and personal data. Android remains the most targeted because it has a larger market share and is open source. Apple iOS is also a target but not so much as the platform is more secure.

The increase of PHAs

Data exfiltration or even destruction of data can cause considerable damage to an organisation. Pre-installed malware was recently found on US government-funded smartphones and other devices. Google has al so reported a huge increase of PHAs:  “Malicious actors increased their efforts to embed PHAs into the supply chain using two main entry points: new devices sold with pre-installed PHAs and over the air (OTA) updates that bundle legitimate system updates with PHAs. Neither entry point requires action from users, making them difficult to defend against.” Google states that there are three possible reasons for an increase in the number of pre-installed PHAs:

  • The developers of pre-installed PHAs only need to deceive the device manufacturer or another company in the supply chain instead of large numbers of users, so it’s easier to achieve large-scale distribution. Even a less popular device model can compromise hundreds of thousands of users through one pre-installed harmful application.
  • Pre-installed PHAs can gain more privileged access to the device, so it’s easier to execute malicious behaviour that would usually be blocked by Android’s security model. At the same time, these additional privileges allow PHAs to defend against security tools or removal attempts by users.
  • Large families of PHAs used exploits to root devices, but this is increasingly more difficult due to Android’s constantly improving security model which blocks privilege escalation exploits to achieve similar privileges and defence levels for regular apps. Developers of these apps know that it is easier to compromise the supply chain of device manufacturers than to attack the Android platform security model.

To combat the problem of pre-installed PHAs, the Android Security team at Google launched a security program as part of the Android device certification process. They expanded the program in 2018 and now every new Android-certified device goes through the same app scanning process as apps on Google Play. Their security scanner also looks for other common security and privacy issues and denies device certification until device manufacturers fix these problems. Although these steps have been taken by Google, it’s still important that organisations think about and tackle their own security measures.

The problem with PHAs

PHAs are usually pre-installed in low-cost devices from vendors with little control over the software installed. Managing mobile device security and the data stored on them is one of the biggest challenges faced by organisations today.

The problems arise because on one hand, users want to choose and use their own devices with little or no concern over the security implications of said device. On the other hand, businesses want employees to be reachable, have access to emails and store business data all at the same time. Companies allowing employees to store company data on devices with pre-installed PHAs could unwittingly allow malicious actors access to company data. The same can be applied for organisations that use apps to communicate with their employees or customers. In fact, nearly onethird of executives surveyed by PwC cited mobile devices as the leading cause of security breaches in their organisation. Many other studies have found a similar trend.

Keep on the lookout

Due to the widespread problems encountered with PHAs, it has become clear that companies must rethink their enterprise mobility policies. RiskXchange has pinpointed some of the greatest threats to mobile devices today:


A pre-installed trojan added to some Phillips smartphones that displays advertisements and also downloads and installs software without user knowledge.


A pre-installed app on some Samsung smartphones which can act as a vector to push malicious apps directly onto smartphones.


Pre-installed remote access trojan (RAT) on some uleFone smartphones that silently sends SMS messages without the user’s consent to receive instructions from their command-and-control server. It also collects personal information.


A stock app pre-installed on some TCL and Alcatel smartphones that has the capabilities to silently install and uninstall other apps and also infiltrates device and user data.


Affecting low-cost devices from BLU, Infinix, Doogee, Leagoo, and Xolo. It allows malicious actors to remotely execute commands on the devices as a privileged user if they were in a position to conduct a Man-in-the-Middle attack.

Who is at risk?

The finance, technology, real estate and energy sectors seem to be the most affected. Organisations affected by these kinds of threats may need to improve security controls, such as their Inventory and Control of Hardware Assets, their Secure Configuration for Software on Mobile Devices, and their Malware Defences. In order to mitigate risk, the following should be considered:

  • Educate employees about PHAs, the risks, mobile choices and what to look out for.
  • Establish or enforce enterprise mobility policies, such as: Choose Your Own Device (CYOD), Bring Your Own Device (BYOD), Company Owned/Business Only (COBO) or Company Owned/Personally Enabled (COPE).
  • Adopt mobile device management (MDM) software. MDM will not only monitor devices but also their connected networks and the data they send and receive.
  • Protect endpoints with anti-malware or other solutions.

How RiskXchange can help

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. We are a respected provider of cybersecurity ratings and can ensure organisations around the world can pinpoint and tackle the threats posed by PHAs.

With full visibility over your eco-systems’ entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks. 

About RiskXchange

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cyber security risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world. 

RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.