Skip to main content

Move over, Joker: Harly malware infects millions of Android phones

Smartphone displaying skull and crossbones on screen.
(Image credit: Morrowind/Shutterstock)

Even the most benign looking Android apps on the Google Play Store can be dangerous as cybercriminals continue to devise clever ways to bundle malware with popular apps.

In fact, a 2020 study (opens in new tab) (PDF) from NortonLifeLock found that two thirds of Android malware comes through Google Play. This makes sense as it is the largest official Android app store and comes pre-installed on the best Android phones.

The infamous Joker malware has made headlines in the past but a new blog post (opens in new tab) from Kaspersky has shed light on a similar malware strain called Harly, named after the DC villain’s on-again, off-again girlfriend.

Since 2020, more than 190 malicious apps infected with the Harly malware have been discovered on the Play Store. While a conservative estimate of the number of times these bad apps have been downloaded is 4.8 million, the actual figure could be even higher.

Joker malware vs Harly malware

A picture of Joker depicting the Joker malware

(Image credit: Shutterstock)

Just like with Joker malware, the cybercriminals using the Harly malware to infect Android devices download regular apps from the Play Store, insert malicious code into them and then upload these new apps under a different name. 

Since the now altered apps still include the features listed on their Play Store pages, most users don’t suspect a thing.

Apps containing the Joker malware use multi-stage downloaders to receive their malicious payloads from command and control (C&C) servers controlled by an attacker. With the Harly malware though, the apps themselves contain the entire malicious payload and use different methods to decrypt and launch it.

Delete these apps now

Even though all of the apps listed below have since been removed from the Play Store, you will still need to delete them manually if any of them have been installed on your devices. Here's a list of all of the affected apps along with how many times they've been downloaded from the Play Store:

  • Pony Camera - 500,000+ downloads
  • Live Wallpaper&Themes Launcher - 100,000+ downloads
  • Action Launcher & Wallpapers - 100,000+ downloads
  • Color Call - 100,000+ downloads
  • Good Launcher - 100,000+ downloads
  • Mondy Widgets - 100,000+ downloads
  • Funcalls-Voice Changer - 100,000+ downloads
  • Eva Launcher - 100,000+ downloads
  • Newlook Launcher - 100,000+ downloads
  • Pixel Screen Wallpaper - 100,000+ downloads

Signing victims up for subscription services

Dark-haired woman looking at smartphone screen in shock.

(Image credit: fizkes/Shutterstock)

Although Joker and Harly work a bit differently under the hood, both malware strains are used to sign up users whose devices have been infected for expensive subscription services without their knowledge.

Once installed, Harly collects information about a user’s device along with details about the mobile network they’re using. The phone then switches from Wi-Fi to a mobile network and the malware contacts the C&C server to put together a list of subscriptions to sign up for.

From here, Harly opens the subscription sites in an invisible window, enters a victim’s phone number, presses the required button and even enters any confirmation codes sent via text. The end result is that the victim is signed up for a subscription service without realizing it.

Surprisingly, Harly is even capable of calling specific phone numbers when necessary and confirming subscriptions.

How to stay safe from malicious Android apps

Despite Google’s best efforts, malicious apps often end up on the Play Store. This is why you should carefully check the reviews and ratings of each app you download. As reviews on the Play Store can be faked, it’s also worth checking online to find written or video reviews of any app you’re thinking about installing on your Android phone.

Likewise, you should ensure that Google Play Protect is enabled on your device as it scans all of your apps as well as new ones for any signs of malware. For additional protection though, you may want to install one of the best Android antivirus apps as well.

Just like with anything else you download online, you need to be careful when adding new apps to your devices. Before installing a simple flashlight, address book or translation app, it’s always worth it to ask yourself if you really need this app in the first place.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.