There is at least 190 applications available in the Play Store from Google for Android that have Trojan malware capable of signing you up for paid services without your knowledge. The security firm Kaspersky has been in charge of announcing it and saying that all the apps together have close to 5 million downloads.

According to the researchers, the apps were very varied: some that serve as flashlights to mini-games and have been appearing in the official Google application store over the last two years.

This malware has been baptized as Harly and the security firm compares it to Joker, which has been around for more than five years bypassing Android controls and dozens of apps are known that have been found on Google Play.

Interestingly, malware writers learned to use the Go and Rust programming languagesbut for now its skills are limited to cracking and loading the malicious Software Development Kit (SDK), according to Kaspersky findings.

How does it work





What has been seen is that a user opens an application and the Trojan already has the ability to collect information about your device. Scammers download apps, insert malicious code into apps that look like ordinary tools, and then re-upload them to Google Play under another name.

Sometimes these applications, in addition to containing malicious code, also offer the service they promise, so users may not suspect them or consider them a threat. Since 2020, more than 190 apps infected with Harly have been found on Google Play.

Most members of the Jocker family are multi-stage downloaders: they receive the payload from the scammers’ C&C servers. The Trojans of the Harly family, on the other hand, contain all the payload inside the application and use different methods to decrypt and execute it.

Harly collects information about the user’s device and, in particular, about the mobile network. The user’s phone switches to a mobile network and then the Trojan asks the C&C server to configure the list of subscriptions to which you must register.

The Trojan opens the subscription address in an invisible window and, by injecting JS scripts, enters the user’s phone number, press the necessary buttons and enter the code confirmation text message. In the end, the user purchases a paid subscription without realizing it.

Take for example an app called com.binbin.flashlight (md5: 2cc9ab72f12baa8c0876c1bd6f8455e7), a flashlight app that has over 10,000 downloads on Google Play.