The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Harly Android Trojan Subscriber

Oct 13, 2022 1:33:22 PM / by PolySwarm Tech Team


Related Families: Jocker

Executive Summary

Kaspersky recently reported on Harly, a trojan subscriber targeting Android devices. Harly can subscribe a victim to a paid service without their knowledge or consent.

Key Takeaways

  • Harly is a trojan subscriber injected into otherwise legitimate Android apps.
  • Over 190 apps have been infected with Harly, with an estimated 4.8 million downloads. 
  • Harly subscribes victims to paid services without their knowledge.
What is Harly?

Harly is a trojan subscriber targeting Android devices. A trojan subscriber is a trojan that subscribes victims to paid services without their knowledge or consent. Harly is named after the DC Comics character Harley Quinn, a companion of the Joker. Kaspersky researchers believe Harly has a common origin with Jocker malware, which is named after the Joker.

Harly is delivered via apps found on the Google Play store. The threat actors take legitimate apps, then inject malicious code into them and upload them to Google Play with a different name.  In the past two years, over 190 apps have been infected with Harly. These apps have been downloaded an estimated 4.8 million times.

Harly contains the entire payload within the app and uses different methods to decrypt and launch it. In one of the samples analyzed, the app loads a suspicious library on launch. It decrypts the file from app resources.

Harly collects information about a victim’s device and mobile network. The sample analyzed only worked with Thai mobile operators. The trojan receives a list of subscriptions from the C2 and signs the victim up for paid subscriptions. Harly is able to subscribe users to paid services, even if confirmation is needed via text message or phone call.

Kaspersky notes the threat actors behind Harly show evidence of knowing how to use Rust and Go, but their skills seem limited to decrypting and loading the SDK. While not attributed to a particular threat actor group, Karspserky believes the threat actors may be of Chinese nexus.


PolySwarm has multiple samples of Harly.










You can use the following CLI command to search for all Harly samples in our portal:

$ polyswarm link list -f Harly

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Android, Harly, Subscriber, Trojan

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts