Skip to content
Tech News
← Back to articles

Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs.

2026-05-20 | original
read original get Android Security & Privacy Book → more articles
Why This Matters

A new wave of malicious Android apps is covertly enrolling users in premium carrier-billed services across Malaysia, Thailand, Romania, and Croatia. These apps disguise themselves as popular, trusted applications and use advanced techniques to automate fraudulent subscriptions without user consent, posing significant risks to consumers and the telecom industry. The campaign highlights the ongoing threat of sophisticated mobile malware targeting user trust and financial security.

Key Takeaways

A financially motivated threat actor is targeting Android users in Malaysia, Thailand, Romania, and Croatia with malware that covertly enrolls victims in premium, carrier-billed services.

The campaign involves nearly 250 Android apps that selectively target users based on their specific mobile service provider and geographic location, according to researchers at Zimperium. The malware — disguised as popular applications such as Messenger, TikTok, Minecraft, and Grand Theft Auto — uses WebView automation, JavaScript injection, and OTP interception to avoid user interaction and complete fraudulent subscription workflows in the background.

A Sneaky, Persistent Campaign

Zimperium's analysis showed that, once opened, each of the malicious apps first read the device's SIM card information to identify the victim's mobile operator. The fraud workflow activated only if the operator matched a list of hardcoded targets, including DiGi, Celcom, Maxis, and U Mobile in Malaysia. If the device belonged to a non-targeted carrier, the malicious app simply displayed a harmless Web page and avoided any behavior that might trigger detection, Zimperium said.

Related:Will AI Save Consumers From Smartphone-Based Phishing Attacks?

The campaign appears to have begun in March 2025 and remained highly active through at least the second week of January, with parts of its infrastructure still operational today.

"The zLabs team identified three distinct malware variants in this campaign, each demonstrating different levels of sophistication in how they silently subscribe victims to premium services once the user has unwittingly downloaded the malicious app masquerading as a trusted brand," Zimperium said.

The most technically sophisticated variant, the vendor's analysis showed, was the one targeting Malaysian users, because it automated the entire subscription process. When carrier billing required a one-time password, the malware displayed a fake verification prompt designed to trick users into entering a code for authenticating what appeared to be a game account, while actually they were authorizing a paid subscription in the background.

Leveraging Legitimate Components to Bypass Users

Zimperium found the malware variant abusing Google's SMS Retriever API — a feature to help apps automatically detect one-time passwords — to silently capture OTPs and then use them for billing confirmation, all without any user interaction. The malware also silently disables the victim device's Wi-Fi connection to force all traffic through the cellular network, which often is key for carrier billing authentication, Zimperium said.

... continue reading

Explore topics: android malware carrier billing zimperium tiktok digi
Related:
Show HN: CPU-only transcription for YouTube, TikTok, X, Instagram videos
Fibermaxxing: Viral wellness trend has TikTok sharing tips on how to eat more fiber
Figma’s new agentic design tool is like getting an ultra-fast coworker
You can now remix other people’s YouTube Shorts with AI
How to Upgrade Weber and Kamado Joe Into Smart Grills

© 2026 GoKawiil

About | Editorial Policy | Contact