⬇️
Key Takeaways
- Researchers uncovered nearly 250 fraudulent Android apps that silently subscribed users to premium billing services.
- The campaign relied on impersonated brands, automation, and carrier targeting across Malaysia, Thailand, Romania, and Croatia.
- Security teams are utilizing published indicators of compromise to adjust scanning and detection rules for enterprise mobile fleets.
Zimperium discovered a sprawling billing fraud operation tied to more than 200 fake Android apps. The campaign, active from March 2025 to at least January 2026, quietly enrolled users in premium SMS and WAP subscription services without clear consent. It did so by disguising itself as popular apps like TikTok, Minecraft, Grand Theft Auto, Instagram Threads, and Facebook Messenger.
By reading SIM card data, the malware activated only for specific carriers in Malaysia, Thailand, Romania, and Croatia, which helped it avoid detection and widen the attack window. This regional selectivity, along with its use of roughly 12 premium SMS short codes, mirrors tactics publicly associated with a broader campaign known as Premium Deception.
Google maintains that none of the nearly 250 apps identified by researchers appeared in the Google Play Store. A spokesperson stated that Android users are already protected against the malware variants through Google Play Protect. The statement leans on a long-standing message about the risks of sideloaded applications, yet the persistence of these fraud operations suggests a more nuanced landscape. Cybercriminals previously compromised 150 Google Chrome extensions and reached more than 4.3 million browsers in 2025, demonstrating the ripple effects of marketplace abuse outside mobile environments.
Multiple malware variants drove the attacks. The most technically layered version used an automated subscription engine, SIM card checks, and deceptive account authentication prompts. Victims often believed they were verifying access to a gaming account when the malware was actually intercepting one-time passwords through Google's SMS Retriever API. The combination of password interception and JavaScript injection on hidden web pages enabled silent enrollment into premium services.
Another variant, targeted mainly at users in Thailand, relied on premium SMS messages and background WebView automation. This version loaded legitimate-looking front-end pages while hiding subscription flows behind them. Attackers also employed a cookie-stealing technique to maintain authenticated billing sessions, making the fraud loops more durable.
A final variant layered in real-time notification capabilities through Telegram, letting attackers receive infection updates as they happened. The use of Telegram monitoring demonstrates an operational model that borrows performance tracking techniques from legitimate app development.
According to published researcher data, more than half of the affected devices carried Malaysian SIM cards, while users in Thailand and Romania each represented around 15 percent of cases, and Croatia accounted for about 1 percent. The targeted carriers included DiGi, Maxis, Celcom, U Mobile, Telekom, AIS, Orange, Vodafone, TrueMove H, and dtac TriNet.
Although the observed peak occurred in September 2025, and the campaign was last active in January 2026, parts of its infrastructure remain operational. This often signals lingering risk, as even partial infrastructure can support copycat activity or incremental reinfection attempts.
The Verizon DBIR 2024 points to social engineering and mobile credential theft as high-frequency enablers for financially motivated attacks. Additionally, ENISA's Threat Landscape 2023 notes that mobile malware and subscription fraud persist due to fake apps and abuses of legitimate platform features. Enterprise mobility programs can easily become blind spots when risk models focus only on traditional endpoints.
The NIST Cybersecurity Framework and NIST SP 800-163 provide guidance for controlling mobile app sources and enforcing device-centric protections. They are often used as anchors for enterprise policies, especially in regulated industries. In parallel, the FCC continues to monitor unauthorized carrier billing practices, adding compliance pressure for telecoms and app marketplaces alike.
McAfee previously documented Sonvpay, which used benign-looking ringtone and utility apps to enroll users in premium services. The mechanics were less sophisticated than these recent discoveries, yet the underlying principle of exploiting permissive billing flows has remained consistent.
Organizations are implementing more rigorous mobile application vetting to limit exposure. Some rely on mobile threat defense tools that scan for deceptive subscription behavior or suspicious network calls, while others harden mobile device configurations to restrict third-party app installations. However, the gap between platform controls and how attackers manipulate documented APIs shows that even educated users can have difficulty discerning safe applications.
Marketplace integrity continues to be an ongoing challenge. Even reputable stores see occasional breaches, as seen when Socket researchers identified 150 Chrome extensions that exfiltrated browsing data in 2025. Enterprises must apply layered controls that assume imperfect app stores rather than rely on them as the single line of defense.
For now, Zimperium has shared indicators of compromise through its public GitHub repository. Security teams managing mobile fleets can use those indicators to adjust scanning and detection rules. Fraud operators adapt quickly, so a combination of telemetry monitoring, user education, and marketplace pressure is required to counter the next iteration of billing abuse.
