In the Google Play Store, Kaspersky discovered numerous Trojanized apps containing the Harly malware. The concludes fee-based service subscriptions.
The Trojan Harly rips off money from its victims by subscribing to paid services in the background. Kaspersky has discovered it in more than 190 apps in the Google Play Store, which together have over 4.8 million downloads.
The masterminds behind the malware downloaded regular apps, added their own malicious code and uploaded them to the Google Play Store under a different name, Kaspersky explains in an analysis. By impersonating legitimate apps, they try to find unsuspecting victims. In addition, the camouflage apps also provide the advertised functions.
Not particularly progressive
In an examined sample, Kaspersky’s antivirus experts found an application that was otherwise available under a different name, to which the attackers added Go and Rust code. This code decrypts and launches the actual SDK malicious code. Unlike more advanced Trojans, the app already contains the full malware program code and does not download and then decrypt it in several stages.
Kaspersky has found some indications that the masterminds behind the malware are from China. The Trojan checks the currently used telephony provider using mobile network codes. In addition to testing for Thai providers, it also checks for China Telecom.
As a protective measure, the antivirus experts recommend also paying attention to the reviews of apps before installing them. Although they could be flooded with fakes, there were always indications in the specific examples of the Harly Trojan that malware is at work there. According to the company, it has contacted Google so that the trojanized apps are no longer available and should have been automatically removed from the affected smartphones.