CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs.

Dark Reading Archived May 21, 2026 ✓ Full text saved

The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions.

Full text archived locally
✦ AI Summary · Claude Sonnet


    MOBILE SECURITY ENDPOINT SECURITY REMOTE WORKFORCE THREAT INTELLIGENCE NEWS Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs. The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions. Jai Vijayan,Contributing Writer May 20, 2026 5 Min Read SOURCE: STOCKINQ VIA SHUTTERSTOCK A financially motivated threat actor is targeting Android users in Malaysia, Thailand, Romania, and Croatia with malware that covertly enrolls victims in premium, carrier-billed services. The campaign involves nearly 250 Android apps that selectively target users based on their specific mobile service provider and geographic location, according to researchers at Zimperium. The malware — disguised as popular applications such as Messenger, TikTok, Minecraft, and Grand Theft Auto — uses WebView automation, JavaScript injection, and OTP interception to avoid user interaction and complete fraudulent subscription workflows in the background. A Sneaky, Persistent Campaign Zimperium's analysis showed that, once opened, each of the malicious apps first read the device's SIM card information to identify the victim's mobile operator. The fraud workflow activated only if the operator matched a list of hardcoded targets, including DiGi, Celcom, Maxis, and U Mobile in Malaysia. If the device belonged to a non-targeted carrier, the malicious app simply displayed a harmless Web page and avoided any behavior that might trigger detection, Zimperium said. Related:Will AI Save Consumers From Smartphone-Based Phishing Attacks? The campaign appears to have begun in March 2025 and remained highly active through at least the second week of January, with parts of its infrastructure still operational today. "The zLabs team identified three distinct malware variants in this campaign, each demonstrating different levels of sophistication in how they silently subscribe victims to premium services once the user has unwittingly downloaded the malicious app masquerading as a trusted brand," Zimperium said. The most technically sophisticated variant, the vendor's analysis showed, was the one targeting Malaysian users, because it automated the entire subscription process. When carrier billing required a one-time password, the malware displayed a fake verification prompt designed to trick users into entering a code for authenticating what appeared to be a game account, while actually they were authorizing a paid subscription in the background.  Leveraging Legitimate Components to Bypass Users Zimperium found the malware variant abusing Google's SMS Retriever API — a feature to help apps automatically detect one-time passwords — to silently capture OTPs and then use them for billing confirmation, all without any user interaction. The malware also silently disables the victim device's Wi-Fi connection to force all traffic through the cellular network, which often is key for carrier billing authentication, Zimperium said. Related:Supply Chain Attack Embeds Malware in Android Devices The second variant targets Thai users via an approach that combines direct SMS fraud with browser session hijacking. The malware first confirms if the victim is using a specific Thai mobile carrier and then automatically sends SMS messages to paid service numbers to sign the user up for multiple subscriptions. Zimperium found the malware using a legitimate looking Web page to keep the victim occupied. In the background, hidden WebViews — which mobile apps use to display and interact with Web content inside a mobile app — accessed carrier billing portals, stole session cookies, and maintained authenticated sessions without user input.  The third variant combined the subscription fraud capabilities of the first two with a real-time reporting system built on Telegram. The malware immediately notified operators of every significant action, including installation, permission grants, and successful premium SMS transmission. Each notification contained the device identifier, the fake app name the victim had installed, which distribution platform had delivered the infection, which mobile operator the victim used, and a time stamp. This gave the operators live visibility into which fake app identities and distribution channels were generating the most successful infections. The attackers monitored malicious app distribution across TikTok, Facebook, and Google. Related:Predator Spyware Sample Indicates 'Vendor-Controlled' C2 "This systematic approach indicates a well-organized operation with clear metrics tracking for campaign optimization," Zimperium said. "Attackers can identify which social platforms and fake app personas yield the highest conversion rates." Controls Can't Keep Up With Abuse The campaign represents a shared failure of controls across the entire mobile ecosystem and is more than just a simple user awareness issue said Vineeta Sangaraju, AI research engineer at Black Duck, in emailed comments. The attacker's abuse of Google's SMS Retriever API to silently intercept OTP and of the WebView component to automate fraudulent subscription workflows highlight recurring problems in the mobile app industry, she said. "These are not obscure attack surfaces, they are documented, widely used platform features, and the controls governing their use have not kept pace with their abuse potential." The campaign also points to a continued mobile weakness in app store vetting, and it's noteworthy that fake apps remain easy to host on legitimate application distribution platforms. "For security teams, especially in organizations that allow BYOD, the practical response is to enforce app installation exclusively from official stores," Sangaraju said. The campaign is significant for enterprise organizations because mobile devices carry corporate email accounts, single sign-on (SSO) sessions, and multifactor authentication (MFA) codes, added Shane Barney, chief information security officer (CISO) at Keeper Security. "This attack isn't sophisticated in the traditional sense — it doesn't rely on breaking encryption or exploiting a zero-day. Instead, it intercepts SMS-based one-time passwords, which organizations continue to utilize despite being widely recognized as a weak form of MFA," Barney said in a statement. The campaign underscores the growing exposure that organizations have to contend with from mobile device users. Verizon's 2026 Data Breach Investigations Report (DBIR) showed that mobile-centric social engineering — like SMS and voice-based attacks— were 40% more effective at getting users to engage than email-based phishing lures. Verizon's research showed that the median number of times mobile devices in large organizations were targeted in SMS attacks last year was 48 and presented a way for attackers to bypass phishing protections and directly reach users, Verizon said. "Threat actors continue to largely leverage email-based phishing attacks to compromise organizations; however, these attacks are getting more complex as attackers are targeting mobile devices and other unconventional vectors to reach victims," the company warned. About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.  Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars AI-Powered Cybersecurity for Resource-Constrained Organizations AI-Powered Credential Security: Intelligence Without Exposure How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? More Webinars You May Also Like MOBILE SECURITY Predator Spyware Sample Indicates 'Vendor-Controlled' C2 by Rob Wright JAN 15, 2026 MOBILE SECURITY FBI Flags Quishing Attacks From North Korean APT by Rob Wright JAN 12, 2026 MOBILE SECURITY 'Landfall' Malware Targets Samsung Galaxy Users by Jai Vijayan, Contributing Writer NOV 07, 2025 MOBILE SECURITY SparkKitty Swipes Pics From iOS, Android Devices by Jai Vijayan, Contributing Writer JUN 23, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗