All you need to know about the new Harly malware on Google Play

  • webmaster
  • 23 Mar 2023

This Trojan, hidden in numerous PlayStore apps, is ready to make you pay!

The Google play store is notorious for harboring malicious apps that look safe to install. People think Google monitors all apps in their store actively, but that’s rarely the case. As a result, even the most diligent moderators sometimes fail to catch this malware.

Trojan subscribers are one of the most common malware found in the play store. It signs up the unaware user to expensive paid services without his consent. The new variant of the Trojan family is – Harly, named after a popular DC villain.

The Harly Trojan in more detail

Over 190 apps in Google play since 2020 bundled with the Harly Trojan. Unsurprisingly, these apps have had roughly 4.8 million downloads. However, the actual number could be much higher.

Like the Joker Trojan, Harly is also adept at imitating legitimate apps. You must be wondering, how does it work?

Here’s how it works – fraudsters download the source code of legit apps from the play store. Then, they insert the Trojan in the code and re-upload the app with a different name. The renamed fraud app might still function similarly upon installation, leaving users in the dark.

Most variants of the Joker Trojan don’t contain the entire payload within the app. Instead, this payload gets sent from the defrauder’s C&C server. However, Trojans of the Harly family have the whole payload and use multiple methods to decrypt and launch it.

Harly Trojan subscriber: How it Works? 

Once the user installs the infected app, the Trojan starts its work in the background to learn about the device. After gathering the requisite information, it communicates with the C&C servers for several paid subscriptions. Then it completes the sign-up process by combining an invisible window and a JavaScript injection to imitate user interaction.

It completes the SMS verification process and calls automated numbers by imitating user behavior. It then connects to the user’s mobile data before entering the verification codes.

After all this, the user gets subscribed to hundreds of paid services, costing him a lot. The silver lining is that currently, Harly can only work with local telecom providers based in Thailand, but experts warn that its reach may grow.

Security experts believe these scammers have shown limited Go and Rust programming skills. They suspect they could be from China.

Safeguarding yourself from Trojan subscribers

The Google play store moderation team tries to prevent malware as much as possible, but the user should also follow some basic security steps. Awareness of the potential risks of downloading apps with low credibility is vital. Follow the instructions given below to protect yourself from malware.

  • Check the user reviews – Before downloading any app, you should read the user reviews as much as possible on the play store. Any app having low user ratings and/or poor customer feedback should be avoided. It would be best to remember that reviews and ratings could be artificially inflated to lure users.
  • Stop installing unnecessary apps – Your chances of falling prey to malware-infested apps increase with the installation of more and more apps. Many fancy apps can seem attractive but offer little real benefit. Some of them are – coloring book apps with subscriptions, human-to-animal translators, phone cooler and cleaner apps, keyword apps, duplicate phone apps, etc.
  • Shifting to open-source apps – Open-source apps have source codes that can be checked and verified by anyone. These apps also have a large, passionate community of developers that continuously make improvements to the app. So, there are fewer chances of malware injection in these apps by scammers. F-droid is a free catalog of such apps for the Android platform.
  • Stop side-loading apps – There are many disreputable android app sites that lack moderation. Users should refrain from downloading apps from these repositories.
  • Capping your phone bill – Telecom service providers can let you put a spending limit on your phone bill. By doing this, Trojan subscribers can avoid causing much financial harm.
  • Getting a reliable security solution – Protecting your smartphone by purchasing a reputable antivirus and VPN app is best.

Apps that have been affected

Some of the apps that have been affected include are as follows:

  • Pony Camera
  • Live Wallpaper & Themes Launcher
  • Color Call
  • Good Launcher
  • Action Launcher & Wallpapers
  • Mondy Widgets
  • Eva Launcher
  • Funcalls Voice Changer
  • Newlook Launcher
  • Pixel Screen Wallpaper


Users should understand that fraudsters and scammers are always searching for new ways to exploit technology to gain money. Unfortunately, the Google ecosystem is an ideal breeding source for all kinds of malware, as anyone can put out their app. So, users should follow the instructions mentioned above to minimize risks as much as possible.

Leave a comment

Your email address will not be published. Required fields are marked *