Google Play Store: Trojan Harly has 4.8 million downloads

In the Google Play Store, Kaspersky discovered numerous Trojanized apps containing the Harly malware. The concludes fee-based service subscriptions.


The Trojan Harly rips off money from its victims by subscribing to paid services in the background. Kaspersky has discovered it in more than 190 apps in the Google Play Store, which together have over 4.8 million downloads.


The masterminds behind the malware downloaded regular apps, added their own malicious code and uploaded them to the Google Play Store under a different name, Kaspersky explains in an analysis. By impersonating legitimate apps, they try to find unsuspecting victims. In addition, the camouflage apps also provide the advertised functions.

In an examined sample, Kaspersky’s antivirus experts found an application that was otherwise available under a different name, to which the attackers added Go and Rust code. This code decrypts and launches the actual SDK malicious code. Unlike more advanced Trojans, the app already contains the full malware program code and does not download and then decrypt it in several stages.

The specific malicious function of the Trojans examined in more detail unfolds in particular among users in Thailand. If the smartphone is registered with a network operator there, it contacts the command-and-control server to receive a list of paid services to be subscribed to. The malware can intercept confirmation SMS in the background unnoticed and click on corresponding buttons on the subscribe web pages through injected JavaScript and fill in form fields. As a special feature, the malware can not only process confirmation SMS, but also set up calls to telephone numbers for confirmation.

SEE ALSO  Google Gemini is not exclusive to Android: the new artificial intelligence is beginning to reach the iPhone

Kaspersky has found some indications that the masterminds behind the malware are from China. The Trojan checks the currently used telephony provider using mobile network codes. In addition to testing for Thai providers, it also checks for China Telecom.

As a protective measure, the antivirus experts recommend also paying attention to the reviews of apps before installing them. Although they could be flooded with fakes, there were always indications in the specific examples of the Harly Trojan that malware is at work there. According to the company, it has contacted Google so that the trojanized apps are no longer available and should have been automatically removed from the affected smartphones.