Harly¶
Harly is a subscription fraud trojan distributed through the Google Play Store, identified and named by Kaspersky in 2022. With over 190 infected apps and a conservative 4.8 million downloads, Harly operates in the same toll fraud space as Joker but uses a distinct technical approach: the entire malicious payload is embedded within the APK rather than downloaded from a C2 server. The family is notable for using Rust and Go native libraries as payload loaders, a technique uncommon in Android toll fraud malware.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2020 |
| Status | Active |
| Type | Subscription fraud, toll fraud |
| Attribution | Unknown |
| Aliases | Harly Trojan Subscriber |
Origin and Lineage¶
Kaspersky classified Harly as part of the Joker/Bread ecosystem based on functional similarity: both families silently subscribe victims to paid services through WAP billing and premium SMS. The key lineage difference is architectural. Joker variants typically act as droppers that download their payload from C2 servers at runtime. Harly embeds the complete payload within the APK itself, encrypted inside assets or native libraries, and decrypts it locally on launch.
HUMAN Security's Satori team tracked Harly's evolution and uncovered 95 additional malicious apps on Google Play during their investigation. Their analysis revealed the threat actors behind Harly have adopted Rust and Go for the native library loaders, though their usage of these languages appears limited to payload decryption and loading rather than implementing core fraud logic.
Distribution¶
Harly distributes exclusively through Google Play using trojanized functional apps. The operators download legitimate apps, inject malicious code, re-upload them under different developer accounts and names, and maintain the original app functionality to avoid negative reviews.
| Attribute | Details |
|---|---|
| Store | Google Play Store |
| Infected apps | 190+ identified |
| Total downloads | 4.8M+ (conservative estimate) |
| App categories | Games, flashlights, wallpapers, camera filters, ringtones, utilities |
| Review evasion | Apps retain original functionality; malicious behavior is silent |
The apps function as advertised. A user who downloads a Harly-infected flashlight app gets a working flashlight. The subscription fraud occurs entirely in the background without any visible indication.
Capabilities¶
Subscription Fraud Flow¶
| Step | Action |
|---|---|
| 1 | App launches, native library (Rust or Go) decrypts embedded DEX payload |
| 2 | Decrypted DEX file loaded via DexClassLoader |
| 3 | Payload contacts C2 to receive subscription target list |
| 4 | Opens subscription page in invisible WebView |
| 5 | JavaScript injection auto-fills victim's phone number |
| 6 | Intercepts confirmation SMS via NotificationListenerService |
| 7 | Extracts PIN/OTP from notification or SMS |
| 8 | Submits confirmation code to complete enrollment |
| 9 | Hides confirmation notification from victim |
Harly handles two confirmation methods:
- SMS confirmation: The
NotificationListenerServicereads the incoming verification SMS, extracts the code, and programmatically submits it - Phone call confirmation: For services that confirm via automated call, the trojan can initiate calls to specific numbers and confirm subscriptions through the call flow
Data Collection¶
| Data | Purpose |
|---|---|
| Device info | Fingerprinting for operator analytics |
| Mobile network/carrier | Determines which subscription services are available |
| SIM MCC/MNC | Country and carrier identification for targeting |
| Installed apps | Unknown, possibly for avoiding conflicts with other toll fraud malware |
Technical Details¶
Payload Architecture¶
Unlike Joker's dropper model, Harly packages everything locally:
APK
├── lib/
│ └── [arch]/
│ └── libloader.so (Rust or Go native library)
├── assets/
│ └── [encrypted_payload] (encrypted DEX file, disguised extension)
└── classes.dex (stub loader, minimal code)
The native library in lib/ handles decryption of the asset file. Once decrypted, the result is a DEX file containing the full subscription fraud SDK. The stub classes.dex loads the native library and triggers decryption on app start.
Native Library (Rust/Go)¶
HUMAN Security's analysis found that threat actors use Rust and Go to build the native loader libraries. The use of compiled native code for the loader serves two purposes:
- Static analysis tools focused on Dalvik bytecode cannot inspect the decryption logic
- Rust and Go binaries are harder to reverse engineer than standard JNI C/C++ libraries
The threat actors' Rust and Go proficiency appears limited to the loader component. The actual fraud logic in the decrypted DEX is standard Java/Kotlin.
C2 Communication¶
Harly contacts a C2 server after the payload is decrypted and loaded. The C2 provides:
- List of subscription services to target
- Subscription page URLs
- JavaScript injection scripts for form filling
- Configuration updates
The C2 address is embedded in the encrypted payload, not in the outer APK, so it is only visible after decryption.
Country Targeting¶
Like Joker, Harly checks the device's MCC/MNC to determine if the victim's carrier supports the targeted subscription services. Kaspersky noted that some analyzed samples only operated with Thai mobile operators, though the family targets multiple regions globally.
Target Regions¶
Harly targets regions with active WAP billing and premium SMS infrastructure:
| Region | Notes |
|---|---|
| Southeast Asia | Thailand confirmed as a primary target; Indonesia, Malaysia also targeted |
| Europe | Multiple Western European carriers targeted |
| Middle East | Carriers with WAP billing support |
Target selection is dynamic, controlled by C2 configuration rather than hardcoded in the app.
Notable Campaigns¶
2020-2022: Over 190 Harly-infected apps accumulate 4.8M+ downloads on Google Play before Kaspersky publishes their analysis in September 2022, leading to removal of identified apps.
2022, September: Kaspersky names and documents the Harly family, distinguishing it from Joker by its embedded payload architecture and detailing the invisible WebView subscription mechanism.
2022, October: PolySwarm integrates Harly detection and publishes a summary correlating Kaspersky's findings with additional variant telemetry.
2023: HUMAN Security's Satori team publishes their investigation, uncovering 95 additional malicious apps and documenting the Rust/Go native loader evolution. Collaboration with Google leads to removal of identified apps from the Play Store.
2023: Kaspersky later identified Fleckpe, a related subscription trojan family using native library droppers, found in 11 Play Store apps with 620,000+ downloads.
2023-present: New variants continue to appear on Google Play. The family adapts by rotating developer accounts and modifying the native loader to evade updated Play Protect signatures. Kaspersky's 2022 mobile threat report lists Harly among the most prevalent subscription trojans on Android, and the family has been independently reverse engineered by researchers confirming the continued evolution of decryption techniques.