Move over, Joker: Harly malware infects millions of Android phones
More than 190 apps have been infected with this malware since 2020
Even the most benign looking Android apps on the Google Play Store can be dangerous as cybercriminals continue to devise clever ways to bundle malware with popular apps.
In fact, a 2020 study (PDF) from NortonLifeLock found that two thirds of Android malware comes through Google Play. This makes sense as it is the largest official Android app store and comes pre-installed on the best Android phones.
The infamous Joker malware has made headlines in the past but a new blog post from Kaspersky has shed light on a similar malware strain called Harly, named after the DC villain’s on-again, off-again girlfriend.
Since 2020, more than 190 malicious apps infected with the Harly malware have been discovered on the Play Store. While a conservative estimate of the number of times these bad apps have been downloaded is 4.8 million, the actual figure could be even higher.
Joker malware vs Harly malware
Just like with Joker malware, the cybercriminals using the Harly malware to infect Android devices download regular apps from the Play Store, insert malicious code into them and then upload these new apps under a different name.
Since the now altered apps still include the features listed on their Play Store pages, most users don’t suspect a thing.
Apps containing the Joker malware use multi-stage downloaders to receive their malicious payloads from command and control (C&C) servers controlled by an attacker. With the Harly malware though, the apps themselves contain the entire malicious payload and use different methods to decrypt and launch it.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
Delete these apps now
Even though all of the apps listed below have since been removed from the Play Store, you will still need to delete them manually if any of them have been installed on your devices. Here's a list of all of the affected apps along with how many times they've been downloaded from the Play Store:
- Pony Camera - 500,000+ downloads
- Live Wallpaper&Themes Launcher - 100,000+ downloads
- Action Launcher & Wallpapers - 100,000+ downloads
- Color Call - 100,000+ downloads
- Good Launcher - 100,000+ downloads
- Mondy Widgets - 100,000+ downloads
- Funcalls-Voice Changer - 100,000+ downloads
- Eva Launcher - 100,000+ downloads
- Newlook Launcher - 100,000+ downloads
- Pixel Screen Wallpaper - 100,000+ downloads
Signing victims up for subscription services
Although Joker and Harly work a bit differently under the hood, both malware strains are used to sign up users whose devices have been infected for expensive subscription services without their knowledge.
Once installed, Harly collects information about a user’s device along with details about the mobile network they’re using. The phone then switches from Wi-Fi to a mobile network and the malware contacts the C&C server to put together a list of subscriptions to sign up for.
From here, Harly opens the subscription sites in an invisible window, enters a victim’s phone number, presses the required button and even enters any confirmation codes sent via text. The end result is that the victim is signed up for a subscription service without realizing it.
Surprisingly, Harly is even capable of calling specific phone numbers when necessary and confirming subscriptions.
How to stay safe from malicious Android apps
Despite Google’s best efforts, malicious apps often end up on the Play Store. This is why you should carefully check the reviews and ratings of each app you download. As reviews on the Play Store can be faked, it’s also worth checking online to find written or video reviews of any app you’re thinking about installing on your Android phone.
Likewise, you should ensure that Google Play Protect is enabled on your device as it scans all of your apps as well as new ones for any signs of malware. For additional protection though, you may want to install one of the best Android antivirus apps as well.
Just like with anything else you download online, you need to be careful when adding new apps to your devices. Before installing a simple flashlight, address book or translation app, it’s always worth it to ask yourself if you really need this app in the first place.
Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.