A global mobile billing fraud campaign has been targeting Android users by silently subscribing them to expensive premium text services. Zimperium zLabs, which reported this campaign, has identified around 250 malicious applications involved in this operation.
These apps are designed for carrier billing fraud through premium SMS abuse. It has been active for nearly ten months, with the first detection in March 2025 and the most recent one in the second week of January 2026.
One of the campaign’s more notable features was its operator-level targeting. Researchers found that the malware specifically focused on mobile carriers across four countries:
Before launching the fraud workflow, the malicious apps checked the infected device’s SIM card to verify the user’s mobile network operator. This allowed the malware to activate only on targeted carrier networks while avoiding unnecessary exposure on unsupported devices
To achieve initial access, the attackers relied on a multi-platform distribution strategy built around social engineering lures. They created fake applications impersonating widely recognized brands, including Facebook Messenger, Instagram Threads, TikTok, Minecraft, and Grand Theft Auto (GTA).
If the malware was installed on a non-targeted network, a fallback mechanism displayed a benign webview of apkafa.com to reduce suspicion and evade detection.
When a matched operator was found, the malware initiated automated workflows to force premium subscriptions. The software programmatically disabled Wi-Fi to force data traffic through cellular paths required for billing authentication.
For DiGi users, it loaded hidden background WebViews and executed JavaScript injection to click the “Request TAC” button, auto-fill verification codes, and click “Confirm.” To bypass security checkpoints, it abused Google’s SMS Retriever API to intercept One-Time Passwords (OTPs) and Transaction Authentication Codes (TACs) without user awareness.
According to zLabs researcher and blog post author Rajat Goyal, the team identified three distinct malware variants driving the operation:
The primary C2 domains used for workflows and exfiltration included apizep.mwmze.com and modobomz.com, while the operation relied on a tracking system embedded in custom HTTP referrer headers following a strict pattern: https://{FakeAppName}-{Country}-{Platform}-{OperatorCode}.
This allowed attackers to run data analytics on which platforms and personas yielded the highest infection rates. Across target regions, zLabs mapped at least 12 premium SMS short codes and keywords, such as “GYGO” to 866866 in Croatia, or “MOGA” and “DA” to codes like +1280 and 4541545 in Romania.
Commenting on the discovery, industry experts shared their insights with Hackread.com, warning that the campaign exposes broader flaws in the mobile security environment.
Vineeta Sangaraju, AI Research Engineer at Black Duck, explained that the scope of the problem extends past individual errors. “This campaign is a managed fraud operation. It should be read as a shared failure of controls across the entire mobile ecosystem – platform, carrier, and app distribution layer, and not simply a user awareness problem,” Sangaraju said.
“The abuse of Google’s SMS Retriever API, originally designed to assist users with legitimate authentication flows, to silently harvest OTP confirmations, illustrates a recurring problem in the mobile app industry that platform APIs grant broad access without requiring appropriate transparency or warning to the user. The permission was implicitly granted; the user had no meaningful visibility into how it was being used. Equally, the WebView component that enables legitimate in-app browsing experiences is here weaponized to automate subscription workflows,“ Sangaraju added while highlighting specific architectural loopholes used by the threat actors
Shane Barney, Chief Information Security Officer at Keeper Security, noted that the persistence and structural setup of the attack distinguish it from typical fraud setups. “Carrier billing fraud isn’t new; however, the Android malware campaign uncovered by Zimperium zLabs is worth taking note of because of how deliberately it was built to last,” Barney said.
“Ten months of sustained operations, nearly 250 applications, and a referrer-tracking system designed to measure which fake app personas and social platforms generated the highest infection rates. These threat actors weren’t rushing, they were optimizing – and that distinction matters for how security teams should think about the threat.”
Barney also emphasised that the reliance on old verification systems makes these operations highly profitable. “This attack isn’t sophisticated in the traditional sense – it doesn’t rely on breaking encryption or exploiting a zero-day. Instead, it intercepts SMS-based one-time passwords, which organizations continue to utilize despite being widely recognized as a weak form of MFA. Attackers are now building sustained, professional operations around this weakness,” Barney concluded.
Your email address will not be published.
Email Address*
FIRSTNAME
LASTNAME
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.
Android Malware Spotted Subscribing Victims to Paid Services Without Consent – Hackread
