Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs.
Dark ReadingArchived May 21, 2026✓ Full text saved
The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions.
Full text archived locally
✦ AI Summary· Claude Sonnet
MOBILE SECURITY
ENDPOINT SECURITY
REMOTE WORKFORCE
THREAT INTELLIGENCE
NEWS
Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs.
The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions.
Jai Vijayan,Contributing Writer
May 20, 2026
5 Min Read
SOURCE: STOCKINQ VIA SHUTTERSTOCK
A financially motivated threat actor is targeting Android users in Malaysia, Thailand, Romania, and Croatia with malware that covertly enrolls victims in premium, carrier-billed services.
The campaign involves nearly 250 Android apps that selectively target users based on their specific mobile service provider and geographic location, according to researchers at Zimperium. The malware — disguised as popular applications such as Messenger, TikTok, Minecraft, and Grand Theft Auto — uses WebView automation, JavaScript injection, and OTP interception to avoid user interaction and complete fraudulent subscription workflows in the background.
A Sneaky, Persistent Campaign
Zimperium's analysis showed that, once opened, each of the malicious apps first read the device's SIM card information to identify the victim's mobile operator. The fraud workflow activated only if the operator matched a list of hardcoded targets, including DiGi, Celcom, Maxis, and U Mobile in Malaysia. If the device belonged to a non-targeted carrier, the malicious app simply displayed a harmless Web page and avoided any behavior that might trigger detection, Zimperium said.
Related:Will AI Save Consumers From Smartphone-Based Phishing Attacks?
The campaign appears to have begun in March 2025 and remained highly active through at least the second week of January, with parts of its infrastructure still operational today.
"The zLabs team identified three distinct malware variants in this campaign, each demonstrating different levels of sophistication in how they silently subscribe victims to premium services once the user has unwittingly downloaded the malicious app masquerading as a trusted brand," Zimperium said.
The most technically sophisticated variant, the vendor's analysis showed, was the one targeting Malaysian users, because it automated the entire subscription process. When carrier billing required a one-time password, the malware displayed a fake verification prompt designed to trick users into entering a code for authenticating what appeared to be a game account, while actually they were authorizing a paid subscription in the background.
Leveraging Legitimate Components to Bypass Users
Zimperium found the malware variant abusing Google's SMS Retriever API — a feature to help apps automatically detect one-time passwords — to silently capture OTPs and then use them for billing confirmation, all without any user interaction. The malware also silently disables the victim device's Wi-Fi connection to force all traffic through the cellular network, which often is key for carrier billing authentication, Zimperium said.
Related:Supply Chain Attack Embeds Malware in Android Devices
The second variant targets Thai users via an approach that combines direct SMS fraud with browser session hijacking. The malware first confirms if the victim is using a specific Thai mobile carrier and then automatically sends SMS messages to paid service numbers to sign the user up for multiple subscriptions. Zimperium found the malware using a legitimate looking Web page to keep the victim occupied. In the background, hidden WebViews — which mobile apps use to display and interact with Web content inside a mobile app — accessed carrier billing portals, stole session cookies, and maintained authenticated sessions without user input.
The third variant combined the subscription fraud capabilities of the first two with a real-time reporting system built on Telegram. The malware immediately notified operators of every significant action, including installation, permission grants, and successful premium SMS transmission. Each notification contained the device identifier, the fake app name the victim had installed, which distribution platform had delivered the infection, which mobile operator the victim used, and a time stamp. This gave the operators live visibility into which fake app identities and distribution channels were generating the most successful infections. The attackers monitored malicious app distribution across TikTok, Facebook, and Google.
Related:Predator Spyware Sample Indicates 'Vendor-Controlled' C2
"This systematic approach indicates a well-organized operation with clear metrics tracking for campaign optimization," Zimperium said. "Attackers can identify which social platforms and fake app personas yield the highest conversion rates."
Controls Can't Keep Up With Abuse
The campaign represents a shared failure of controls across the entire mobile ecosystem and is more than just a simple user awareness issue said Vineeta Sangaraju, AI research engineer at Black Duck, in emailed comments. The attacker's abuse of Google's SMS Retriever API to silently intercept OTP and of the WebView component to automate fraudulent subscription workflows highlight recurring problems in the mobile app industry, she said. "These are not obscure attack surfaces, they are documented, widely used platform features, and the controls governing their use have not kept pace with their abuse potential." The campaign also points to a continued mobile weakness in app store vetting, and it's noteworthy that fake apps remain easy to host on legitimate application distribution platforms. "For security teams, especially in organizations that allow BYOD, the practical response is to enforce app installation exclusively from official stores," Sangaraju said.
The campaign is significant for enterprise organizations because mobile devices carry corporate email accounts, single sign-on (SSO) sessions, and multifactor authentication (MFA) codes, added Shane Barney, chief information security officer (CISO) at Keeper Security. "This attack isn't sophisticated in the traditional sense — it doesn't rely on breaking encryption or exploiting a zero-day. Instead, it intercepts SMS-based one-time passwords, which organizations continue to utilize despite being widely recognized as a weak form of MFA," Barney said in a statement.
The campaign underscores the growing exposure that organizations have to contend with from mobile device users. Verizon's 2026 Data Breach Investigations Report (DBIR) showed that mobile-centric social engineering — like SMS and voice-based attacks— were 40% more effective at getting users to engage than email-based phishing lures. Verizon's research showed that the median number of times mobile devices in large organizations were targeted in SMS attacks last year was 48 and presented a way for attackers to bypass phishing protections and directly reach users, Verizon said. "Threat actors continue to largely leverage email-based phishing attacks to compromise organizations; however, these attacks are getting more complex as attackers are targeting mobile devices and other unconventional vectors to reach victims," the company warned.
About the Author
Jai Vijayan
Contributing Writer
Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.
Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.
Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.
His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management
Access More Research
Webinars
AI-Powered Cybersecurity for Resource-Constrained Organizations
AI-Powered Credential Security: Intelligence Without Exposure
How Security Teams should apply Threat Intelligence into their Defenses
Your Guide to Securing AI Adoption in Your Organization
What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?
More Webinars
You May Also Like
MOBILE SECURITY
Predator Spyware Sample Indicates 'Vendor-Controlled' C2
by Rob Wright
JAN 15, 2026
MOBILE SECURITY
FBI Flags Quishing Attacks From North Korean APT
by Rob Wright
JAN 12, 2026
MOBILE SECURITY
'Landfall' Malware Targets Samsung Galaxy Users
by Jai Vijayan, Contributing Writer
NOV 07, 2025
MOBILE SECURITY
SparkKitty Swipes Pics From iOS, Android Devices
by Jai Vijayan, Contributing Writer
JUN 23, 2025
Editor's Choice
THREAT INTELLIGENCE
From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber
byDark Reading Editorial Team
MAY 6, 2026
31 MIN READ
CYBER RISK
Physical Cargo Theft Gets a Boost From Cybercriminals
byRobert Lemos
MAY 4, 2026
5 MIN READ
CYBER RISK
NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later
byDark Reading Editorial Team
APR 28, 2026
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
LOADING...
RSAC 2026: key news & insights
At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more
Get Your Recap
Webinars
AI-Powered Cybersecurity for Resource-Constrained Organizations
THURS, JUNE 18, 2026, AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
How Security Teams should apply Threat Intelligence into their Defenses
THURS, JUNE 11, 2026 AT 1PM EST
Your Guide to Securing AI Adoption in Your Organization
TUES, JUNE 9, 2026 AT 1PM EST
What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?
WED, JUNE 3, 2026 AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS