Skip to main content
Emerging ThreatsMalware & Ransomware

Android Malware Campaign Silently Invoices Users via Fake Apps

Person holding smartphone with blank screen in crowded transit platform.

Nearly 250 counterfeit Android apps were used over ten months to sign victims onto premium billing services without their knowledge, with malware that explicitly targeted subscribers in Malaysia, Thailand, Romania and Croatia, Zimperium’s zLabs researchers report.

Zimperium zLabs' findings and timeline

zLabs attributes the operation, which it calls "Premium Deception," to a campaign that ran from March 2025 to mid-January 2026. The research team found that portions of the campaign’s infrastructure remained online at the time of publication. The malicious installers impersonated well-known consumer apps — including Facebook Messenger, Instagram Threads, TikTok, Minecraft and Grand Theft Auto — and collectively approached nearly 250 distinct fake app samples.

Three malware variants with a single financial aim

zLabs identified three variants that escalate in capability but share the same objective: enroll infected devices in premium subscriptions billed via the carrier. The most advanced variant, used against Malaysian DiGi subscribers, automated the full subscription workflow. After reading the device SIM operator code and matching it against a hardcoded list, the malware disabled Wi‑Fi to force traffic onto the cellular network, loaded DiGi’s official billing portal inside a hidden WebView, and executed JavaScript to click the "Request TAC" button, fill in the intercepted one‑time password (OTP) and confirm the subscription.

zLabs found that the campaign harvested OTPs by abusing Google’s SMS Retriever API — a legitimate Android feature intended to let apps read confirmation codes automatically without prompting the user. A second variant, aimed at Thai users, used a multi‑stage attack: it fetched dynamic subscription targets from a command‑and‑control (C2) server, scheduled delayed SMS at 60‑ and 90‑second intervals to try to defeat automated fraud detection, and harvested session cookies from hidden carrier billing pages. The third variant added real‑time Telegram reporting, with a bot that pinged attackers whenever a device was infected, permissions were granted or a premium SMS was sent.

Commercialized infrastructure and measurement controls

The operation shows signs of a well‑organized commercial setup. Each malicious sample embedded an HTTP referrer header formatted as {{FakeAppName}}-{{Country}}-{{Platform}}-{{OperatorCode}}, allowing operators to measure which fake personas and distribution channels — TikTok, Facebook, Google — produced the most successful infections. zLabs identified at least 12 premium SMS short codes being abused across the four targeted countries and traced C2 infrastructure to the modobomz[.]com and mwmze[.]com domains. When the malware detected a SIM operator outside its hardcoded target list it displayed a benign webview of apkafa.com to avoid suspicion and maintain persistence, an evasion pattern zLabs maps to MITRE ATT&CK technique T1628.001.

Technical notes: carrier billing automation and evasion

The campaign relied on two technical pillars to make unauthorized billing work at scale. First, the malware enforced cellular routing by disabling Wi‑Fi so that device requests would hit carrier billing portals tied to the subscriber’s mobile network. Second, the operation automated interaction with carrier pages via hidden WebViews and in‑page JavaScript, combined with SMS interception through Android APIs, to complete subscription flows without user consent. Layered into these mechanics were timing tactics — the scheduled 60‑ and 90‑second SMS delays — and remote measurement strings in HTTP referrers to optimize conversions and distribution.

What this means for end users, mobile operators, and security teams

  • End users. zLabs’ advice is direct: avoid sideloading Android apps from third‑party stores, audit installed apps against trusted brand names, and review recent mobile bills for unexplained subscription charges. The campaign’s impersonation of legitimate apps increases the risk that casual inspections miss malicious installers.
  • Mobile operators. The operation abused carrier billing portals and short codes, and in one instance automated enrollment against DiGi’s billing flow. Operators will need to monitor for hidden‑WebView automation patterns, anomalous referral headers, and sudden spikes of short‑code activity tied to specific app referrers.
  • Security teams and incident responders. Indicators uncovered by zLabs — the referrer header pattern, the modobomz[.]com and mwmze[.]com domains, use of apkafa.com as a benign fallback, and the list of abused short codes — provide concrete leads for detection and containment. Teams should also consider telemetry that reveals Wi‑Fi disablement coincident with carrier billing attempts and SMS Retriever API usage by unexpected apps.

Premium Deception demonstrates how relatively modest Android malware, when paired with automated carrier‑billing workflows and measurement telemetry, can become a profitable and persistent fraud operation across multiple countries. Portions of the campaign infrastructure remained reachable when zLabs published its analysis, leaving open whether the operators will modify their tools or pivot to new targets. For now, the most immediate defenses are vigilance by users and targeted detection by operators and defenders.

https://www.infosecurity-magazine.com/news/android-carrier-billing-fraud-four/