Move over, Joker: Harly malware infects millions of Android phones

News
By published

More than 190 apps have been infected with this malware since 2020

Smartphone displaying skull and crossbones on screen.
(Image credit: Morrowind/Shutterstock)

Even the most benign looking Android apps on the Google Play Store can be dangerous as cybercriminals continue to devise clever ways to bundle malware with popular apps.

In fact, a 2020 study (PDF) from NortonLifeLock found that two thirds of Android malware comes through Google Play. This makes sense as it is the largest official Android app store and comes pre-installed on the best Android phones.

The infamous Joker malware has made headlines in the past but a new blog post from Kaspersky has shed light on a similar malware strain called Harly, named after the DC villain’s on-again, off-again girlfriend.

Since 2020, more than 190 malicious apps infected with the Harly malware have been discovered on the Play Store. While a conservative estimate of the number of times these bad apps have been downloaded is 4.8 million, the actual figure could be even higher.

Joker malware vs Harly malware

A picture of Joker depicting the Joker malware

(Image credit: Shutterstock)

Just like with Joker malware, the cybercriminals using the Harly malware to infect Android devices download regular apps from the Play Store, insert malicious code into them and then upload these new apps under a different name. 

Since the now altered apps still include the features listed on their Play Store pages, most users don’t suspect a thing.

Apps containing the Joker malware use multi-stage downloaders to receive their malicious payloads from command and control (C&C) servers controlled by an attacker. With the Harly malware though, the apps themselves contain the entire malicious payload and use different methods to decrypt and launch it.

Delete these apps now

Even though all of the apps listed below have since been removed from the Play Store, you will still need to delete them manually if any of them have been installed on your devices. Here's a list of all of the affected apps along with how many times they've been downloaded from the Play Store:

  • Pony Camera - 500,000+ downloads
  • Live Wallpaper&Themes Launcher - 100,000+ downloads
  • Action Launcher & Wallpapers - 100,000+ downloads
  • Color Call - 100,000+ downloads
  • Good Launcher - 100,000+ downloads
  • Mondy Widgets - 100,000+ downloads
  • Funcalls-Voice Changer - 100,000+ downloads
  • Eva Launcher - 100,000+ downloads
  • Newlook Launcher - 100,000+ downloads
  • Pixel Screen Wallpaper - 100,000+ downloads

Signing victims up for subscription services

Dark-haired woman looking at smartphone screen in shock.

(Image credit: fizkes/Shutterstock)

Although Joker and Harly work a bit differently under the hood, both malware strains are used to sign up users whose devices have been infected for expensive subscription services without their knowledge.

Once installed, Harly collects information about a user’s device along with details about the mobile network they’re using. The phone then switches from Wi-Fi to a mobile network and the malware contacts the C&C server to put together a list of subscriptions to sign up for.

From here, Harly opens the subscription sites in an invisible window, enters a victim’s phone number, presses the required button and even enters any confirmation codes sent via text. The end result is that the victim is signed up for a subscription service without realizing it.

Surprisingly, Harly is even capable of calling specific phone numbers when necessary and confirming subscriptions.

How to stay safe from malicious Android apps

Despite Google’s best efforts, malicious apps often end up on the Play Store. This is why you should carefully check the reviews and ratings of each app you download. As reviews on the Play Store can be faked, it’s also worth checking online to find written or video reviews of any app you’re thinking about installing on your Android phone.

Likewise, you should ensure that Google Play Protect is enabled on your device as it scans all of your apps as well as new ones for any signs of malware. For additional protection though, you may want to install one of the best Android antivirus apps as well.

Just like with anything else you download online, you need to be careful when adding new apps to your devices. Before installing a simple flashlight, address book or translation app, it’s always worth it to ask yourself if you really need this app in the first place.

See more Computing News
TOPICS
Anthony Spadafora
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Google Play logo on an android smartphone with corner hole punch camera
At least 5 North Korean spy apps have been found on Google Play — what you need to know
One phone with skull and crossbones on screen among several other clean-looking phones.
Malicious iPhone apps are spreading screenshot-reading malware on the Apple App Store — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Diego Luna as Cassian Andor in "Andor" season 2 trailer
New ‘Andor’ season 2 trailer teases more explosive action and a darker edge to the hit ‘Star Wars’ show
Russian flag with padlock smashing through glass
47 VPNs could be axed from Google Play Store following Russian demands
ChatGPT on iPhone
ChatGPT was down — updates on quick outage
Emma D'Arcy in House of the Dragon season 2
‘House of the Dragon’ season 3 has officially begun filming — what it could mean for the potential release window
AirPods Max in various colors
AirPods Max is getting a big update with lossless audio and ultra-low latency — here's how it works
A mosquito resting on a plant
Experts predict a spring surge in these 9 pest populations — here's what's forecast for your area
More about malware and adware
Green skull on smartphone screen.

Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware

Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
The Essentia Stratami mattress directly next to the Nolah Natural 11

Nolah Natural 11 vs Essentia Stratami: Which organic latex mattress suits your sleep?
See more latest
Most Popular
Russian flag with padlock smashing through glass
47 VPNs could be axed from Google Play Store following Russian demands
Diego Luna as Cassian Andor in "Andor" season 2 trailer
New ‘Andor’ season 2 trailer teases more explosive action and a darker edge to the hit ‘Star Wars’ show
ChatGPT on iPhone
ChatGPT was down — updates on quick outage
Emma D'Arcy in House of the Dragon season 2
‘House of the Dragon’ season 3 has officially begun filming — what it could mean for the potential release window
Emilia Schüle dazzles as Marie-Antoinette in the new season on PBS
How to watch ‘Marie Antoinette’ season 2 online – stream the costume drama from anywhere
Roborock Saros Z70
Roborock's new robot vacuum that comes with a robotic arm is now available to buy
AirPods Max in various colors
AirPods Max is getting a big update with lossless audio and ultra-low latency — here's how it works
A mosquito resting on a plant
Experts predict a spring surge in these 9 pest populations — here's what's forecast for your area
Kat Graham in Tyler Perry's "Duplicity" on Prime Video
Prime Video’s new mystery thriller movie has already crashed the top 10 — but there’s a problem
Apple Watch SE (2022) shown on wrist
Apple Watch SE 3 reportedly in ’serious jeopardy’ — here’s why