{"id":31046,"date":"2022-09-22T21:06:36","date_gmt":"2022-09-22T10:06:36","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/harly-trojan-subscriber\/31046\/"},"modified":"2022-09-22T21:06:58","modified_gmt":"2022-09-22T10:06:58","slug":"harly-trojan-subscriber","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/harly-trojan-subscriber\/31046\/","title":{"rendered":"Harly: another Trojan subscriber on Google Play"},"content":{"rendered":"

It\u2019s common to find all sorts of malware lurking under what seem to be harmless apps on the official Google Play store. Unfortunately, even if the platform is policed carefully, moderators can\u2019t always catch these apps before they\u2019re posted. One of the most popular variations of this kind of malware is Trojan subscribers, which sign up for paid services without the user\u2019s knowledge. We\u2019ve previously written<\/a> about the most common families of this kind of Trojans. Here we\u2019ll tell you about another. It\u2019s similar to the Jocker Trojan subscriber\u00a0\u2014 that\u2019s why it\u2019s called Harly, the (slightly altered) name of the sidekick<\/a> of a well-known comic book villain. The two Trojans probably have common origins.<\/p>\n

The lowdown on Harly Trojans<\/h2>\n

\nSince 2020 more than 190 apps infected with Harly have been found on Google Play. A conservative estimate of the number of downloads of these apps is 4.8 million, but the actual figure may be even higher.<\/p>\n

\"Examples<\/a>

Examples of apps on Google Play that contain Harly malware<\/p><\/div>\n

Just like the Jocker Trojans, Trojans in the Harly family imitate legitimate apps. So how does it work? The scammers download ordinary apps from Google Play, insert malicious code into them, then upload them to Google Play under a different name. The apps may still have the features that are listed in the description, so the users may not even suspect a threat.<\/p>\n

\"More<\/a>

More examples of apps on Google Play that contain Harly malware<\/p><\/div>\n

Most members of the Jocker family are multi-staged downloaders<\/a> \u2014 they receive the payload from the scammers\u2019 C&C servers. Trojans in the Harly family, on the other hand, contain the whole payload within the app and use different methods to decrypt and launch it.<\/p>\n

\"Reviews<\/a>

Reviews by users complaining about charges<\/p><\/div>\n

How Harly Trojan subscriber works<\/h2>\n

\nLet\u2019s take as an example an app called com.binbin.flashlight (md5: 2cc9ab72f12baa8c0876c1bd6f8455e7), a flashlight app that has had more than 10,000 downloads from Google Play.<\/p>\n

\"An<\/a>

An app infected with the Harly Trojan<\/p><\/div>\n

When the app is launched, a dodgy library is loaded:<\/p>\n

\"A<\/a>

A dodgy library<\/p><\/div>\n

The library decrypts the file from the app resources.<\/p>\n

\"Decryption<\/a>

Decryption of a file from the app resources<\/p><\/div>\n

Interestingly, the malware creators learned how to use the Go<\/a> and Rust<\/a> languages, but for now their skills are limited to decrypting and loading the malicious SDK<\/a>.<\/p>\n

Like other Trojans subscribers, Harly collects information about the user\u2019s device, and particularly about the mobile network. The user\u2019s phone switches to a mobile network and then the Trojan asks the C&C server to configure the list of subscriptions that must be signed up for.<\/p>\n

This particular Trojan works only with Thai operators, so first it checks the MNCs<\/a> (mobile network codes)\u00a0\u2014 the unique identifiers of network operators to make sure they\u2019re Thai:<\/p>\n

\"Checking<\/a>

Checking the MNCs<\/p><\/div>\n

However, as a test MNC it uses China Telecom\u2019s code \u2014 46011. This and other clues suggest that the malware developers are located in China.<\/p>\n

\"Test<\/a>

Test MNC<\/p><\/div>\n

The Trojan opens the subscription address in an invisible window, and by injecting JS scripts enters the user\u2019s phone number, taps the required buttons, and enters the confirmation code from a text message. The result is that the user gets a paid subscription without realizing it.<\/p>\n

Another notable feature of this Trojan is that it can subscribe not only when the process is protected by a text message code, but also when it is protected by a phone call: in this case the Trojan makes a call to specific number and confirms the subscription.<\/p>\n

Our products detect the harmful apps we have described here as Trojan.AndroidOS.Harly and Trojan.AndroidOS.Piom.<\/p>\n

How to protect yourself from Trojan subscribers<\/h2>\n

\nThe official app stores are continually combating the spread of malware but, as we see, they\u2019re not always successful. Before you install an app, you should first read the user reviews and check its rating on Google Play. Of course, keep in mind that reviews and ratings may be inflated<\/a>. To cover all your bases so you can avoid falling prey to this kind of malware, we recommend that you install a reliable security solution<\/a>.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

We explain how the Harly Trojan subscriber targets Android users.<\/p>\n","protected":false},"author":2492,"featured_media":31053,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2646],"tags":[105,183,3186,723],"class_list":{"0":"post-31046","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-android","9":"tag-google-play","10":"tag-paid-subscriptions","11":"tag-trojans"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/harly-trojan-subscriber\/31046\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/harly-trojan-subscriber\/24633\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/harly-trojan-subscriber\/20100\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/harly-trojan-subscriber\/10143\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/harly-trojan-subscriber\/27085\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/harly-trojan-subscriber\/24990\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/harly-trojan-subscriber\/25313\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/harly-trojan-subscriber\/27704\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/harly-trojan-subscriber\/27229\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/harly-trojan-subscriber\/34011\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/harly-trojan-subscriber\/11049\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/harly-trojan-subscriber\/45573\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/harly-trojan-subscriber\/19501\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/harly-trojan-subscriber\/20062\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/harly-trojan-subscriber\/29306\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/harly-trojan-subscriber\/32616\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/harly-trojan-subscriber\/28493\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/harly-trojan-subscriber\/25478\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/harly-trojan-subscriber\/30738\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/31046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2492"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=31046"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/31046\/revisions"}],"predecessor-version":[{"id":31052,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/31046\/revisions\/31052"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/31053"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=31046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=31046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=31046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}