Testing SafetyNetClient.listHarmfulApps()

Question

I am writing an Android app that will report to the user (among other SafetyNet data) if there is any PHA (Potentially Harmful Application) installed on his/her device.

For that I am using the SafetyNet Verify Apps API. My call to isVerifyAppsEnabled() is working properly, but making calls to listHarmfulApps() yields nothing.

Both are syntatically identical, so I believe my code is ok, but here it is, anyway:

SafetyNetClient safetyNetClient = SafetyNet.getClient(this.getContext());

safetyNetClient.listHarmfulApps()
        .addOnCompleteListener(new OnCompleteListener<SafetyNetApi.HarmfulAppsResponse>() {
            @Override
            public void onComplete(@NonNull Task<SafetyNetApi.HarmfulAppsResponse> task) {
                Log.d("FragmentSafetyNet", "Received listHarmfulApps() result");

                if (task.isSuccessful()) {
                    SafetyNetApi.HarmfulAppsResponse result = task.getResult();

                    List<HarmfulAppsData> appList = result.getHarmfulAppsList();
                    if (appList.isEmpty()) {
                        Log.d("FragmentSafetyNet", "There are no known potentially harmful apps installed.");
                    } else {

                        Log.e("FragmentSafetyNet", "Potentially harmful apps are installed!");

                        for (HarmfulAppsData harmfulApp : appList) {
                            Log.e("FragmentSafetyNet", "Information about a harmful app:");
                            Log.e("FragmentSafetyNet", "  APK: " + harmfulApp.apkPackageName);
                            Log.e("FragmentSafetyNet", "  SHA-256: " + harmfulApp.apkSha256);
                            Log.e("FragmentSafetyNet", "  Category: " + harmfulApp.apkCategory);
                        }
                    }
                } else {
                    Log.d("FragmentSafetyNet", "An error occurred. " +
                            "Call isVerifyAppsEnabled() to ensure " +
                            "that the user has consented.");
                }
            }
        })
        .addOnSuccessListener(new OnSuccessListener<SafetyNetApi.HarmfulAppsResponse>() {
            @Override
            public void onSuccess(SafetyNetApi.HarmfulAppsResponse harmfulAppsResponse) {
                Log.d("listHarmfulApps()", "Sucess! Received listHarmfulApps() result");
            }
        })
        .addOnFailureListener(new OnFailureListener() {
            @Override
            public void onFailure(@NonNull Exception e) {
                Log.e("listHarmfulApps()", "Error: " + e.getMessage());
            }
        });

There really isn't much to the code: it is basically the code on Google's page adapted to use the new API calls in GMS 11.0.2 (the examples on the forementioned page all use deprecated calls), but it isn't working at all. None of the listeners are being triggered.

Either I messed something or there simply isn't any PHA on the device I am testing.

Thus my 3 questions:

1) Is my code correct?

2) Is there any sort of PHA that I can install that will be blacklisted, show up on the list, but isn't actually harmful? (like the EICAR virus used to test anti-virus software).

3) Finally, if (1) and (2) aren't possible, is there any PHA I can install? In this case I'll be using a controlled, disposible environment, like a rooted emulator that I'll just wipe afterwards.

Thank you in advance.

Answer 1

For those interested in the outcome of this problem, here's how I solved it:

1) There were a few mistakes in my code, which was being called from a v4.Fragment. Since my app has an Activity, this line:

SafetyNetClient safetyNetClient = SafetyNet.getClient(this.getContext());

Should read:

SafetyNetClient safetyNetClient = SafetyNet.getClient(this.getActivity());

(notice the change from getContext() -> getActivity() )

2) This will NOT WORK ON EMULATORS. Period. The reason is that listHarmfulApps() only works if Apps Verify is enabled, and it cannot be enabled on an emulator.

3) I had to temporarily sacrifice one of my Android phones (a Galaxy S3) and infect it with some malware samples (which are actual real malware APKs) sent to me by a fellow developer. In order to do so I removed it's memory and SIM card, removed any personal info from it (including Google account... I used a disposable one), and connected it to my guest wi-fi, isolated from my home wi-fi. The malware APK was installed through ADB, I opened a few banking apps so it could be "activated" and then I scanned for it. Too bad I forgot to do a print-screen.

4) Later I found out that I was using the wrong search pattern on google to find testing malware. There are quite a few sites that will let you download sample malware. Some of them require free registration.

5) It is important to note that in steps (4) and (5), I was dealing with real malware, not test files (like EICAR), so they presented real danger and could make real harm if allowed to. It was like handling a loaded gun, with a light trigger and no safeties!

6) The GS3 had to be reflashed with a stock ROM in order to be certified free of the malware.

7) The app has been finished and published on the Play Store: https://play.google.com/store/apps/details?id=com.alxdroiddev.gs3identity

Thanks to those in the 2600 Hacker group who helped me out.