The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Harly Android Trojan Subscriber

Oct 13, 2022 1:33:22 PM / by PolySwarm Tech Team

HarleyAndroid_Twitter

Related Families: Jocker

Executive Summary

Kaspersky recently reported on Harly, a trojan subscriber targeting Android devices. Harly can subscribe a victim to a paid service without their knowledge or consent.


Key Takeaways

  • Harly is a trojan subscriber injected into otherwise legitimate Android apps.
  • Over 190 apps have been infected with Harly, with an estimated 4.8 million downloads. 
  • Harly subscribes victims to paid services without their knowledge.
What is Harly?

Harly is a trojan subscriber targeting Android devices. A trojan subscriber is a trojan that subscribes victims to paid services without their knowledge or consent. Harly is named after the DC Comics character Harley Quinn, a companion of the Joker. Kaspersky researchers believe Harly has a common origin with Jocker malware, which is named after the Joker.

Harly is delivered via apps found on the Google Play store. The threat actors take legitimate apps, then inject malicious code into them and upload them to Google Play with a different name.  In the past two years, over 190 apps have been infected with Harly. These apps have been downloaded an estimated 4.8 million times.

Harly contains the entire payload within the app and uses different methods to decrypt and launch it. In one of the samples analyzed, the app loads a suspicious library on launch. It decrypts the file from app resources.

Harly collects information about a victim’s device and mobile network. The sample analyzed only worked with Thai mobile operators. The trojan receives a list of subscriptions from the C2 and signs the victim up for paid subscriptions. Harly is able to subscribe users to paid services, even if confirmation is needed via text message or phone call.

Kaspersky notes the threat actors behind Harly show evidence of knowing how to use Rust and Go, but their skills seem limited to decrypting and loading the SDK. While not attributed to a particular threat actor group, Karspserky believes the threat actors may be of Chinese nexus.

IOCs

PolySwarm has multiple samples of Harly.

79edc6e3bced624600a5974b373fd0a3ef50355e763eb38123b1b1e8fd5ff9e9

279cdccd8d1b1729628cd021d332f2a1b26abce1fb40a8a5a46b9528274411e2

0ce7e3cf4543e80f85e1938bbbacbca07cf7d70efa3c989358adb5e15d87be64

98fc1874772bc1a4eac483b4f50b7d36900c29ca3d5711cb6a3b8462854d8f05

73cb135c7b86df3db4ad112baddc4f37341cb00b75740d6e23f58cce46eab7f6

f7eff6d7006cc4cc19d7fe574e50fc371e98ce8bdca09f74401ea27718f39142

67b68a4394db4eb8c974301c0d56b17ba0ac99512767e37ddf39beba4ffd8348

c412b1e0d4ae597e7a212ef5447d1990a46b9816d7a90d6ec7493160b1abd860

2377d1be241642840c4eec97141c828ba69d1f110fb2d903301c853dcaeb9e5b


You can use the following CLI command to search for all Harly samples in our portal:

$ polyswarm link list -f Harly

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Android, Harly, Subscriber, Trojan

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts