Move over, Joker: Harly malware infects millions of Android phones
Even the most benign Android apps on the Google Play Store can be dangerous, as cybercriminals continue to devise clever ways to bundle malware with popular apps.
In fact, a study 2020 (opens in a new tab) (PDF) of NortonLifeLock found this two-thirds of Android malware comes via Google Play. It makes sense because it’s the biggest official Android app store and comes pre-installed on the best android phones.
The infamous Joker malware has made headlines in the past, but a new blog post (opens in a new tab) of Kaspersky brought to light a similar malware strain called Harly, named after the DC villain’s recurring girlfriend.
Since 2020, more than 190 malicious apps infected with Harly malware have been discovered on the Play Store. While a conservative estimate of the number of times these bad apps were downloaded is 4.8 million, the actual figure could be even higher.
Joker malware vs Harly malware
Just like with wildcard malwareCybercriminals using Harly malware to infect Android devices download regular apps from the Play Store, insert malicious code into them, and then download these new apps under a different name.
Since the now-modified apps still include the features listed on their Play Store pages, most users wouldn’t suspect a thing.
Applications containing the Joker malware use multi-stage downloaders to receive their malicious payloads from command and control (C&C) servers controlled by an attacker. However, with Harly malware, the apps themselves contain the entire malicious payload and use different methods to decrypt and launch it.
Delete these apps now
Even though all the apps listed below have since been removed from the Play Store, you will still need to remove them manually if any of them have been installed on your devices. Here’s a list of all affected apps along with the number of times they’ve been downloaded from the Play Store:
- pony camera – 500,000+ downloads
- Live Wallpaper and Theme Launcher – 100,000+ downloads
- Action launcher and wallpapers – 100,000+ downloads
- call of color – 100,000+ downloads
- good pitcher – 100,000+ downloads
- Mondy Widgets – 100,000+ downloads
- Funcalls-Voice Changer – 100,000+ downloads
- Eva Launcher – 100,000+ downloads
- Newlook Launcher – 100,000+ downloads
- pixel screen wallpaper – 100,000+ downloads
Sign victims up for subscription services
Although Joker and Harly operate a bit differently under the hood, both strains of malware are used to sign up users whose devices have been infected with expensive subscription services without their knowledge.
Once installed, Harly collects information about a user’s device as well as details about the mobile network they are using. The phone then switches from Wi-Fi to a mobile network and the malware contacts the C&C server to build a list of subscriptions to subscribe to.
From there, Harly opens subscription sites in an invisible window, enters a victim’s phone number, presses the required button, and even enters confirmation codes sent via SMS. The end result is that the victim is signed up for a subscription service without realizing it.
Amazingly, Harly is even able to call specific phone numbers if needed and confirm subscriptions.
How to protect yourself from malicious Android apps
Despite Google’s best efforts, malicious apps often end up on the Play Store. That’s why you should carefully check the reviews and ratings of every app you download. As reviews on the Play Store can be faked, it’s also worth checking online to find written or video reviews of any app you’re considering installing on your Android phone.
Also, you need to make sure that Google PlayProtect is enabled on your device as it scans all your apps as well as news for any signs of malware. However, for additional protection, you can install one of the best android antivirus apps as well.
As with anything you download online, you should be careful when adding new apps to your devices. Before you install a simple flashlight, address book, or translator app, it’s always worth considering whether you really need that app in the first place.