Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs. TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadCybersecurity OperationsInterpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastInterpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastbyRobert LemosMay 20, 20264 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryMobile SecurityEndpoint SecurityRemote WorkforceThreat IntelligenceNewsFake Android Apps Commit Carrier Billing Fraud for Premium Svcs.The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions.Jai Vijayan,Contributing WriterMay 20, 20265 Min ReadSource: Stockinq via ShutterstockA financially motivated threat actor is targeting Android users in Malaysia, Thailand, Romania, and Croatia with malware that covertly enrolls victims in premium, carrier-billed services.The campaign involves nearly 250 Android apps that selectively target users based on their specific mobile service provider and geographic location, according to researchers at Zimperium. The malware — disguised as popular applications such as Messenger, TikTok, Minecraft, and Grand Theft Auto — uses WebView automation, JavaScript injection, and OTP interception to avoid user interaction and complete fraudulent subscription workflows in the background.A Sneaky, Persistent CampaignZimperium's analysis showed that, once opened, each of the malicious apps first read the device's SIM card information to identify the victim's mobile operator. The fraud workflow activated only if the operator matched a list of hardcoded targets, including DiGi, Celcom, Maxis, and U Mobile in Malaysia. If the device belonged to a non-targeted carrier, the malicious app simply displayed a harmless Web page and avoided any behavior that might trigger detection, Zimperium said.Related:Will AI Save Consumers From Smartphone-Based Phishing Attacks?The campaign appears to have begun in March 2025 and remained highly active through at least the second week of January, with parts of its infrastructure still operational today."The zLabs team identified three distinct malware variants in this campaign, each demonstrating different levels of sophistication in how they silently subscribe victims to premium services once the user has unwittingly downloaded the malicious app masquerading as a trusted brand," Zimperium said.The most technically sophisticated variant, the vendor's analysis showed, was the one targeting Malaysian users, because it automated the entire subscription process. When carrier billing required a one-time password, the malware displayed a fake verification prompt designed to trick users into entering a code for authenticating what appeared to be a game account, while actually they were authorizing a paid subscription in the background. Leveraging Legitimate Components to Bypass UsersZimperium found the malware variant abusing Google's SMS Retriever API — a feature to help apps automatically detect one-time passwords — to silently capture OTPs and then use them for billing confirmation, all without any user interaction. The malware also silently disables the victim device's Wi-Fi connection to force all traffic through the cellular network, which often is key for carrier billing authentication, Zimperium said.Related:Supply Chain Attack Embeds Malware in Android DevicesThe second variant targets Thai users via an approach that combines direct SMS fraud with browser session hijacking. The malware first confirms if the victim is using a specific Thai mobile carrier and then automatically sends SMS messages to paid service numbers to sign the user up for multiple subscriptions. Zimperium found the malware using a legitimate looking Web page to keep the victim occupied. In the background, hidden WebViews — which mobile apps use to display and interact with Web content inside a mobile app — accessed carrier billing portals, stole session cookies, and maintained authenticated sessions without user input. The third variant combined the subscription fraud capabilities of the first two with a real-time reporting system built on Telegram. The malware immediately notified operators of every significant action, including installation, permission grants, and successful premium SMS transmission. Each notification contained the device identifier, the fake app name the victim had installed, which distribution platform had delivered the infection, which mobile operator the victim used, and a time stamp. This gave the operators live visibility into which fake app identities and distribution channels were generating the most successful infections. The attackers monitored malicious app distribution across TikTok, Facebook, and Google.Related:Predator Spyware Sample Indicates 'Vendor-Controlled' C2"This systematic approach indicates a well-organized operation with clear metrics tracking for campaign optimization," Zimperium said. "Attackers can identify which social platforms and fake app personas yield the highest conversion rates."Controls Can't Keep Up With AbuseThe campaign represents a shared failure of controls across the entire mobile ecosystem and is more than just a simple user awareness issue said Vineeta Sangaraju, AI research engineer at Black Duck, in emailed comments. The attacker's abuse of Google's SMS Retriever API to silently intercept OTP and of the WebView component to automate fraudulent subscription workflows highlight recurring problems in the mobile app industry, she said. "These are not obscure attack surfaces, they are documented, widely used platform features, and the controls governing their use have not kept pace with their abuse potential." The campaign also points to a continued mobile weakness in app store vetting, and it's noteworthy that fake apps remain easy to host on legitimate application distribution platforms. "For security teams, especially in organizations that allow BYOD, the practical response is to enforce app installation exclusively from official stores," Sangaraju said.The campaign is significant for enterprise organizations because mobile devices carry corporate email accounts, single sign-on (SSO) sessions, and multifactor authentication (MFA) codes, added Shane Barney, chief information security officer (CISO) at Keeper Security. "This attack isn't sophisticated in the traditional sense — it doesn't rely on breaking encryption or exploiting a zero-day. Instead, it intercepts SMS-based one-time passwords, which organizations continue to utilize despite being widely recognized as a weak form of MFA," Barney said in a statement.The campaign underscores the growing exposure that organizations have to contend with from mobile device users. Verizon's 2026 Data Breach Investigations Report (DBIR) showed that mobile-centric social engineering — like SMS and voice-based attacks— were 40% more effective at getting users to engage than email-based phishing lures. Verizon's research showed that the median number of times mobile devices in large organizations were targeted in SMS attacks last year was 48 and presented a way for attackers to bypass phishing protections and directly reach users, Verizon said. "Threat actors continue to largely leverage email-based phishing attacks to compromise organizations; however, these attacks are getting more complex as attackers are targeting mobile devices and other unconventional vectors to reach victims," the company warned.About the AuthorJai VijayanContributing WriterIllinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies. Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders. Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee. See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsAI-Powered Cybersecurity for Resource-Constrained OrganizationsAI-Powered Credential Security: Intelligence Without ExposureHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?More WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTHow Security Teams should apply Threat Intelligence into their DefensesThurs, June 11, 2026 at 1pm ESTYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

A financially motivated threat actor orchestrated a sophisticated campaign targeting Android users across Malaysia, Thailand, Romania, and Croatia by deploying malware through nearly 250 disguised applications to enroll victims in premium services billed via their mobile carriers. The core mechanism of this fraud involved technical methods designed to circumvent user detection and complete fraudulent subscription workflows in the background. These malicious applications utilized techniques such as WebView automation, JavaScript injection, and the interception of one-time passwords (OTPs).

Zimperium's analysis revealed that the malware first scanned the device's SIM card information to identify the victim's mobile operator. The fraudulent process was specifically triggered if the detected operator matched a list of hardcoded targets, including carriers such as DiGi, Celcom, Maxis, and U Mobile in Malaysia. If the device was registered with a non-targeted carrier, the malicious app would instead display a benign webpage to evade detection. This campaign was active from March 2025 and persisted through the second week of January, with residual infrastructure remaining operational.

The zLabs team identified three distinct malware variants demonstrating varying levels of technical sophistication in achieving silent subscriptions. The most technically complex variant, targeting Malaysian users, managed to automate the entire subscription process. When carrier billing required a one-time password, the malware displayed a deceptive verification prompt, tricking the user into entering a code that was actually authorizing a paid subscription in the background. Furthermore, this variant leveraged Google's SMS Retriever API, a feature intended to help applications automatically detect OTPs, to silently capture these codes for billing confirmation without any user interaction. To facilitate carrier billing authentication, the malware also silently disabled the device's Wi-Fi connection, forcing all network traffic through the cellular network.

The second variant targeted Thai users by combining direct SMS fraud with browser session hijacking. This malware first verified the victim's mobile carrier status before automatically sending SMS messages to paid service numbers to initiate multiple subscriptions. To maintain user engagement, the malware employed a legitimate-looking webpage. In the background, hidden WebViews, which mobile applications use to render web content, were exploited to access carrier billing portals, steal session cookies, and maintain authenticated sessions without user input. The third variant augmented these fraud capabilities by integrating a real-time reporting system using Telegram, allowing the malware to immediately notify operators of critical actions, including installation, permission grants, and successful premium SMS transmissions. This system provided operators with live visibility into which fake app identities and distribution channels were generating the most successful infections, as attackers monitored malicious app dissemination across platforms like TikTok, Facebook, and Google.

The findings underscore a shared failure in security controls across the mobile ecosystem. Vineeta Sangaraju, an AI research engineer at Black Duck, noted that the attackers exploited widely used platform features, such as the SMS Retriever API and the WebView component, indicating that the controls governing these features have not kept pace with their abuse potential. This situation highlights recurring vulnerabilities in app store vetting and the ease with which fake applications can be hosted on legitimate distribution platforms.

For enterprise organizations, this type of attack presents specific risks because mobile devices often house sensitive corporate information, including single sign-on (SSO) sessions and multifactor authentication (MFA) codes. As Shane Barney, Chief Information Security Officer at Keeper Security, stated, the threat stems not from exploiting complex encryption but from intercepting SMS-based one-time passwords, which organizations continue to rely upon despite recognizing their weakness as a form of MFA. This aligns with broader industry warnings, such as Verizon's 2026 Data Breach Investigations Report, which indicated that mobile-centric social engineering methods, including SMS and voice-based attacks, were significantly more effective at engaging users than email-based phishing. Consequently, organizations must reinforce security by enforcing the installation of applications exclusively through official stores to mitigate exposure from these mobile vector attacks.