RSS

Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign

speckx1 pts0 comments

Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign

CONTACT US

Menu

Executive Summary

zLabs has identified a sophisticated Android malware campaign conducting carrier billing fraud through premium SMS abuse across Malaysia, Thailand, Romania, and Croatia . The campaign comprises almost 250 malicious applications that selectively target users based on their mobile operator, silently subscribing victims to premium services without consent.

The malware demonstrates advanced evasion and automation capabilities, including:

Precise regional targeting with hardcoded SIM operator validation

Automated subscription workflows using WebView manipulation and JavaScript injection

One time password (OTP) interception via abuse of Google's SMS Retriever API

Multi-platform distribution with fake apps impersonating Facebook, Instagram, TikTok, Minecraft, and Grand Theft Auto (GTA)

Telegram-based exfiltration of device metadata and subscription confirmations

When deployed on devices with non-targeted operators, the malware employs a fallback mechanism to display benign content, thereby evading detection and maintaining persistence.

As shown in Figure 1 , the campaign utilizes a wide array of impersonated app icons—ranging from popular games like Minecraft and GTA to social media platforms—to lure victims into installation.

Figure 1. Impersonation apps observed in this campaign

The Reach: Four Countries, Millions at Risk

The campaign demonstrates deliberate geographic and carrier-specific targeting with the threat actors hardcoding extensive lists of mobile operators across four countries.

Detailed distribution of these operators and geographic targets is shown in Figure 2.

Figure 2. Operator and Geographic Targeting Distribution

The campaign was first detected in March 2025 and remained active through the second week of January 2026, representing approximately 10 months of sustained fraudulent operations, as detailed in Figure 3 :

Figure 3. Malware samples found over the period of time

As of publication, portions of the infrastructure remain operational.

To maximise infection rates, the threat actors disguised their malware as popular social media platforms and gaming applications. The fake apps impersonated widely recognised brands, including Facebook Messenger, Instagram Threads, TikTok, Minecraft, GTA , and other trending games and utilities.

Inside the Attack: Three Malware Variants Dissected

The zLabs team identified three distinct malware variants in this campaign, each demonstrating different levels of sophistication in how they silently subscribe victims to premium services once the user has unwittingly downloaded the malicious app masquerading as a trusted brand.

Variant 1: Automated Subscription Engine

This variant represents the most sophisticated approach, combining multiple deception techniques to complete premium service subscriptions entirely without user knowledge.

It first checks which mobile carrier the victim is using by reading the device's SIM card information. It compares this against a hardcoded list of targeted operators across Malaysia, including DiGi, Celcom, Maxis, and U Mobile, as shown in Figure 4 . If a match is found, the fraud workflow begins. If not, the app displays a harmless webview of the apkafa[.]com webpage to avoid suspicion.

Figure 4. Hardcoded comparison of the SIM operators

For DiGi subscribers, the malware employs a particularly clever social engineering tactic. When carrier billing requires an OTP for subscription confirmation, the malware displays a fake dialog box in Malay language that reads:

As seen in Figure 5 , victims believe they're authenticating for a game account, when in reality they're authorizing a paid subscription.

Figure 5. Deceptive screen displaying and loading a hidden webview, requesting permission from the user on the next screen.

It also abuses Google's SMS Retriever API , a legitimate feature designed to help apps automatically read OTP messages for user convenience. While Google intended this for legitimate authentication workflows, the threat actors weaponised it to intercept carrier billing confirmation codes without the user's awareness.

Behind the scenes, the malware loads hidden web pages pointing to DiGi's official carrier billing portal. The malware then uses JavaScript commands to perform the following automated actions (Figure 6 ):

Click the "Request TAC" (OTP) button

Fill in the intercepted OTP code

Click the final "Confirm" button

This entire process happens quickly, completing the premium subscription without any visible interaction.

Figure 6. Code snippet responsible for doing the auto click mechanism

To ensure the fraud succeeds, the malware programmatically disables the device's WiFi connection. This forces all traffic through the cellular network, which is required for carrier billing authentication to work properly.

For Maxis subscribers, the malware uses a simpler approach:...

malware figure carrier campaign premium billing

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.