It's a common misconception that if you exclusively use Google's Play store to install apps onto your Android phone, the company will keep you safe from criminals and scammers who are desperate to steal your money. The reality is that, while it's possible for Google to check the behavior of all Play Store apps, it doesn't. Millions of devices could be affected by malware.

One such example of malware found on Google Play is Harly. So what is the Harly Trojan? How can you protect yourself from it?

What Is the Harly Trojan Subscriber?

Harly is the latest in a short series of Batman villain-themed malware for Android devices. Joker, an earlier piece of malware, was shoehorned into legitimate-looking apps, and would download code allowing it to send expensive SMS messages to premium rate phone numbers.

The reach of Joker was limited; Google removed 11 suspect apps from the Play store.

While Joker possessed a degree of subtlety, in that the apps themselves didn't contain the malicious payload, the malware named after his fictional girlfriend (i.e. Harley Quinn) contains all the code it needs, and doesn't rely on a remote command and control server.

Apps containing the Harly malware are easy to create, but hard to detect. Criminals download popular and useful apps from the Play store, inject their own code, then re-upload them under a different name. The apps work like they should: a strobing flashlight app will transform your student accommodation into a disco, and voice changers let you sound like Arnold Schwarzenegger.

But behind the scenes, Harly will secretly sign up your device for expensive subscriptions which are added to your monthly phone bill.

How Does the Harly Trojan Subscriber Work?

woman startled at phone

Most subscription services require SMS verification in order to take effect, while some go further and demand a phone call to an automated phone number before billing your account.

Harly can sidestep these steps by opening hidden windows to enter sign-up details, and intercepting SMS messages in order to enter verification codes. It can even make phone calls.

In order to do this, Harly must first disconnect your device from Wi-Fi, and connect through mobile data.

Security researchers, Kaspersky, have so far identified 190 different Android apps containing the Harly malware. A conservative estimate puts the number of downloads at 4.8 million—although the true number may be far higher.

Am I in Danger From the Harly Malware?

Unless you live in Thailand, you're probably not in immediate danger. As far as is currently known, Harley is only configured to work with local Thai telecoms providers. However, if the criminals decide to reconfigure Harly to work with cell companies in the US or Europe, it would be a trivial change to make.

How Can I Protect Myself From Harly Malware on Android?

In the long term, you should take care with what you install on your Android device.

  • Check the reviews: The first victims of any scam are typically (and justifiably) angry about it, and when their phone bill arrives, will leave reviews complaining that they've been scammed. Pay attention to the reviews, and avoid anything with low ratings or angry feedback.
  • Don't install unnecessary apps on your device: The more apps you have on your device, the more likely it is that one of them is compromised. Ask yourself if you really need a Pony camera app, or yet another live wallpaper switcher. You probably don't.
  • Consider using open source apps exclusively: It's easy to hide malware in apps when the source code is obscured. With open source apps, the source code is available for inspection by anyone, and any malware can easily be found. Bad actors won't even bother trying to hide malware in open source. F-droid is an excellent repository of open source apps for Android.
  • Cap your phone bill: Most providers allow you to place a spending limit on your phone bill. Take advantage of this to prevent subscription services billing you.

Harly: Just the Latest Malware Distributed Through Google Play

Cybercriminals are always looking for ways to get their wares onto your devices and your money into their pockets. For them, Google is the gift that just keeps on giving. As the dominant mobile operating system, even a small degree of success can mean millions of dollars for criminals. Keeping your Android device safe is your responsibility.