Even the most benign looking Android apps on the Google Play Store can be dangerous as cybercriminals continue to devise clever ways to bundle malware with popular apps.
In fact, a 2020 study (PDF) from NortonLifeLock found that two thirds of Android malware comes through Google Play. This makes sense as it is the largest official Android app store and comes pre-installed on the best Android phones.
The infamous Joker malware has made headlines in the past but a new blog post from Kaspersky has shed light on a similar malware strain called Harly, named after the DC villain’s on-again, off-again girlfriend.
Since 2020, more than 190 malicious apps infected with the Harly malware have been discovered on the Play Store. While a conservative estimate of the number of times these bad apps have been downloaded is 4.8 million, the actual figure could be even higher.
Joker malware vs Harly malware
Just like with Joker malware, the cybercriminals using the Harly malware to infect Android devices download regular apps from the Play Store, insert malicious code into them and then upload these new apps under a different name.
Since the now altered apps still include the features listed on their Play Store pages, most users don’t suspect a thing.
Apps containing the Joker malware use multi-stage downloaders to receive their malicious payloads from command and control (C&C) servers controlled by an attacker. With the Harly malware though, the apps themselves contain the entire malicious payload and use different methods to decrypt and launch it.
Delete these apps now
Even though all of the apps listed below have since been removed from the Play Store, you will still need to delete them manually if any of them have been installed on your devices. Here's a list of all of the affected apps along with how many times they've been downloaded from the Play Store:
- Pony Camera - 500,000+ downloads
- Live Wallpaper&Themes Launcher - 100,000+ downloads
- Action Launcher & Wallpapers - 100,000+ downloads
- Color Call - 100,000+ downloads
- Good Launcher - 100,000+ downloads
- Mondy Widgets - 100,000+ downloads
- Funcalls-Voice Changer - 100,000+ downloads
- Eva Launcher - 100,000+ downloads
- Newlook Launcher - 100,000+ downloads
- Pixel Screen Wallpaper - 100,000+ downloads
Signing victims up for subscription services
Although Joker and Harly work a bit differently under the hood, both malware strains are used to sign up users whose devices have been infected for expensive subscription services without their knowledge.
Once installed, Harly collects information about a user’s device along with details about the mobile network they’re using. The phone then switches from Wi-Fi to a mobile network and the malware contacts the C&C server to put together a list of subscriptions to sign up for.
From here, Harly opens the subscription sites in an invisible window, enters a victim’s phone number, presses the required button and even enters any confirmation codes sent via text. The end result is that the victim is signed up for a subscription service without realizing it.
Surprisingly, Harly is even capable of calling specific phone numbers when necessary and confirming subscriptions.
How to stay safe from malicious Android apps
Despite Google’s best efforts, malicious apps often end up on the Play Store. This is why you should carefully check the reviews and ratings of each app you download. As reviews on the Play Store can be faked, it’s also worth checking online to find written or video reviews of any app you’re thinking about installing on your Android phone.
Likewise, you should ensure that Google Play Protect is enabled on your device as it scans all of your apps as well as new ones for any signs of malware. For additional protection though, you may want to install one of the best Android antivirus apps as well.
Just like with anything else you download online, you need to be careful when adding new apps to your devices. Before installing a simple flashlight, address book or translation app, it’s always worth it to ask yourself if you really need this app in the first place.