There are numerous unpatched malwares hidden under the apps in the Google Play Store that seem to be harmless but are actually malicious programs. Google Play Store is an official platform that runs every process with careful monitoring carried out by the moderators. However, some apps may evade the moderator's check since it's not possible to check all the apps before they go live on the platform.
One such popular malware, called Trojan Subscribers has been discovered by Kaspersky. It affects the users by signing up for paid services without their knowledge. The malware exhibits similarities with the Jocker Trojan subscriber, experts presume that the two have a common origin.
A trojan is a malicious code or software that gets downloaded onto a system, disguised as an authorized application.
In the past 3 years, over 190 apps have been found infected with Harly Trojan on the Google play store, and the number of downloads of such apps is more than 4.8 million.
To spread the virus to different systems, the threat actors download the original applications and place their malicious code into them and later re-upload them to Google Play Store with some other name.
The attackers play smart by keeping the same features in the app as listed in the description so that the users do not suspect a threat. The impersonating of legitimate apps also provides advertisement.
The Trojan malware belonging to the Harley family includes a payload inside the application and uses numerous methods to decrypt and execute the payload.
After the decryption, the Harley gathers information about the user’s device including the mobile network. By connecting to the mobile network, the malware opens up a list of subscription addresses from a C&C server, where it automatically enters the user's mobile number followed by other options to continue the process, including the OTP from messages. As a result, the user ends up with a paid subscription for a service without their knowledge or consent.
To avoid being a victim of such apps, anti-virus experts suggest looking for reviews of the applications before downloading them. Google has been notified about such apps and asked to remove all the Trojan-infected apps from the platform and devices that are infected with them.