Harmony App Protect Detection Capabilities

Important Update - Harmony App Protect End of Support

 

Check Point’s Harmony App Protect will be end of support soon.

For more information on key actions and timelines, see Harmony App Protect End-of-Life - Check Point CheckMates.

The Harmony App Protect has a wide range of detection capabilities for app classification and device security configuration.

This table lists the complete list of detection capabilities. You can configure Harmony App Protect to expose all or some of the detection capabilities. To do this, use a category layer that can be configured per hosting app. The category layer groups several detection capabilities into one category to provide a simple consolidated interface to the hosting app.

Detection Capability Title Detection Category Platform Description
ROOTING_TOOL Rooting Tool SUSPICIOUS_APP Android The application was detected as a Rooting/Jailbreak tool. This might expose the device to various security threats.
DANGEROUS_APP Dangerous App SUSPICIOUS_APP Android Dangerous application is a legitimate application with certain capabilities, that if used by a malicious actor, could lead to device compromise, change of configuration, or even unauthorized access to corporate resources.
PHONE_TRACKING_TOOL Device Tracking Tool SUSPICIOUS_APP Android The app allows remote access to the device's location and might enable remote control over the device. In some cases this can be done without the user's consent.
REMOTE_ACCESS_TOOL Remote Access Tool SUSPICIOUS_APP Android The app allows remote control of the device. It might allow an attacker to take over the device without the user's consent.
SUSPICIOUS_APP Suspicious App SUSPICIOUS_APP Android This application includes suspicious capabilities.
GENERIC_MALWARE__SUSPECTED Suspected Malware SUSPICIOUS_APP Android The application is suspected to be malicious and is currently further analyzed by Check Point's advanced detection engines.
LOCATION_TRACKING_TOOL Location Tracking SUSPICIOUS_APP Android The application allows remote access to the device's location without the user's consent.
TF_TEMPERED_APP_CERTIFICATE Not Original Certificate SUSPICIOUS_APP Android The application is signed with a non-genuine certificate.
NETWORK_REDIRECTION_TOOL Network Redirection Tool SUSPICIOUS_APP Android and iOS The application can redirect network communication without the user's consent.
GENERIC_MALWARE Malware MALWARE Android This application is a malware with dangerous capabilities, targeted to impact the device or exfiltrate sensitive data from the device.
FAKE_APP Fake App MALWARE Android This application is a malware posing as a legitimate app.
BOTNET Botnet MALWARE Android This application is part of a network of remotely controlled applications used to facilitate distributed attacks.
MITM_APP Man-In-The-Middle Attack App MALWARE Android This application wiretaps network traffic by utilizing a man-in-the-middle attack.
PREMIUM_DAILER Premium Dialer MALWARE Android The app sends SMS or dials premium numbers that might create excessive charges.
HACKING_TOOL Hacking Tool MALWARE Android This application compromises local network data, device data or application data (on either device or server). Can be used for authorized testing or for malicious purposes.
MRAT Mobile Remote Access Tool MALWARE Android Mobile Remote Access Tool - The app logs user activity, performs surround recordings and collects personal information.
DROPPER Dropper MALWARE Android This application drops potential malware into the device without user consent.
RANSOMWARE Ransomware MALWARE Android This application is a malware targeted to block the device or block access to critical data, trying to force the user to pay ransom to unlock the device or data.
BANKER Financial Information Stealing App MALWARE Android This application steals sensitive financial information such as banking credentials, credit card information and two factor authentication tokens.
INFO_STEALER Info Stealer MALWARE Android The application was detected as an info-stealer malware, that gathers and sends sensitive information from a device.
ROOTKIT Rootkit MALWARE Android This application roots the device in order to perform malicious actions with elevated privileges.
SMSBOT SMS Bot MALWARE Android This application sends text messages in the background for malicious purposes.
PHISHING_APP Phishing App MALWARE Android This application is a malware that attempts to acquire sensitive information such as username and password by masquerading as another trustworthy application.
DM_VERITY__DISABLED Verified boot is disabled OS_INTEGRITY_COMPROMISED Android Verified boot (dm-verity) helps prevent persistent rootkits that can hold onto root privileges and compromise devices. This feature helps Android users be sure when booting a device it is in the same state as when it was last used.
ROOTED__NON_COMMUNITY Non-Standard Rooting OS_INTEGRITY_COMPROMISED Android Rooting was done in a non-standard technique; this might indicate the root was performed for malicious intent. Rooting is the process of allowing users running the Android OS to attain privileged control (known as root access) over various Android subsystems.
ROOTED Rooted Device OS_INTEGRITY_COMPROMISED Android Rooting is the process of allowing users running the Android OS to attain privileged control (known as root access) over various Android subsystems.
SELINUX__NON_ENFORCING SELinuxClosed Security-Enhanced Linux Permissive mode OS_INTEGRITY_COMPROMISED Android SE Linux not enforced.
JAILBROKEN Jailbroken Device OS_INTEGRITY_COMPROMISED iOS iOS jailbreaking is privilege escalation to remove software restrictions imposed by Apple on iOS.
OUTDATED_OS_VERSION_IOS Device has an out of date OS version DEVICE_COMPROMISED iOS The device operating system is out of date.
NO_SCREEN_LOCK_PROTECTION Screen lock protection disabled DEVICE_COMPROMISED Android and iOS Screen Lock disable.
DATA__NOT_ENCRYPTED Device Encryption disabled DEVICE_COMPROMISED Android Device Encryption disable.
ADB_ENABLED USB debugging enabled DEVICE_COMPROMISED Android USB Debugging allows an Android device to communicate with a PC running the Android SDK to use advanced operations.
UNKNOWN_SOURCES Unknown Sources Enabled DEVICE_COMPROMISED Android This feature allows installation of apps from sources other than the Play Store.
SECURITY_PATCH__NOT_UPDATED Security Patch Level Outdated DEVICE_COMPROMISED Android Security Patch Level outdated.
AUTO_CLICKER Hidden Clicker AD_MALWARE Android

This application simulates clicks in the background to generate traffic for DDOS or ad-fraud.

ROUGH_ADNETWORK Rough Ad-Network AD_MALWARE Android This application contains ad-network with dangerous capabilities that can leak sensitive data from the device and violate your privacy.
MITM_INVALID_CERT SSLClosed Secure Sockets Layer. The standard security technology for establishing an encrypted link between a web server and a browser. Interception (Basic) MITM Android and iOS MITM attackClosed Man-in-the-Middle attack. A general term for when a perpetrator positions himself in a conversation between a user and an application (either to eavesdrop or to impersonate one of the parties), making it appear as if a normal exchange of information is underway. - intercepts HTTPS traffic by using an invalid certificate that does not exist on the device's trusted certificates or not trusted by a root CA.
MITM_ARPClosed Address Resolution Protocol. A protocol to map an IP address to a MAC address that is recognized in the local network._POISONING ARP poisoning MITM Android and iOS Detected possible man-in-the-middle/ARP poisoning attack attempt. This attack allows unauthorized 3rd party to gain access to the device's network traffic, which may contain sensitive information such as emails, usernames, passwords.
MITM_CERT_PINNING_FAIL SSL Interception (Advanced) MITM Android and iOS MITM attack - intercepts HTTPS traffic by using a valid certificate that does not match the certificate of the server.
MITM_SSL_STRIPING MITM - SSL Stripping MITM Android and iOS MITM attack - intercepts all network traffic redirection from HTTP to HTTPS and strips the HTTPS call leaving the traffic as HTTP.
IOS__ENTERPRISE_PROFILE Enterprise Certificate Profile SUSPICIOUS_ENTERPRISE_CERTIFICATE iOS An enterprise certificate profile is installed on the device. Enterprise certificate should only be used for official internal apps.
IOS__DEVELOPER_PROFILE Developer certificate profile SUSPICIOUS_ENTERPRISE_CERTIFICATE iOS A developer certificate profile is installed on the device. Developer certificate should only be used for official internal apps development.

QUERY_ALL_PACKAGES *

 Suspicious App SUSPICIOUS_APP Android Verifies the integrity of all the installed apps on the device to detect suspicious apps.

* Due to Google policy limitations, this capability is available only for banking and digital wallet/payment apps.

Suggested Categories

We recommend these categories in the Detection Category column for the Harmony App Protect Category layer.

Based on Check Point security experience, we created a default recommendation. If you require a different configuration, submit the above table with the required category configuration.

  • JAILBROKEN_ROOTED – Device sandbox is compromised.

  • MALWARE – App is identified as malicious.

  • AD_MALWARE- App is identified as ad-network with dangerous capabilities.

  • SUSPICIOUS_APP - App is suspected as malicious.

  • MITM – Network Man-in-the-Middle attack.

  • OS_INTEGRITY_COMPROMISED – Device OS is compromised.

  • DEVICE_COMPROMISED – Device configuration enables malicious behavior.

  • SUSPICIOUS_ENTERPRISE_CERTIFICATE – Applies to iOS only. A certificate profile is installed that allows installation of apps on the device from unknown sources.