Android Malware Used 250 Fake Apps for Silent Carrier-Billing Fraud
Researchers at Zimperium’s zLabs uncovered a large Android malware campaign that used nearly 250 malicious apps to silently subscribe victims to premium carrier-billing services and abuse premium SMS flows without consent. The apps impersonated well-known brands and games including Facebook Messenger, Instagram Threads, TikTok, Minecraft, and Grand Theft Auto, and targeted users in Malaysia, Thailand, Romania, and Croatia. The operation was active from March 2025 through January 2026, with some attacker infrastructure still online at the time of reporting.
zLabs identified three malware variants that activated only when a device’s SIM matched specific mobile operators, helping the fraud remain hidden from non-targeted users by showing benign fallback pages. The malware used hidden WebViews and JavaScript to automate subscription pages, intercepted one-time passwords through Google’s SMS Retriever API, disabled Wi‑Fi to force cellular billing, stole cookies, sent delayed premium SMS messages, and reported activity through attacker-controlled Telegram channels. Researchers said the infrastructure supported command-and-control, victim tracking, analytics, and exfiltration of device metadata and billing-page content.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Zimperium publicly discloses campaign and notes active infrastructure
On publication of its research, Zimperium disclosed the global Android fraud campaign and said parts of the attacker infrastructure were still operational. The company described the distributed infrastructure supporting command and control, victim tracking, analytics, and exfiltration of device and billing-page data.
Campaign remains active into second week of January 2026
Researchers reported that the malware campaign was still active through the second week of January 2026. They identified three malware variants, including one tailored to Thai users and another that sent operational updates to attacker-controlled Telegram channels.
Campaign runs across four countries using targeted subscription fraud
From March 2025 through the second week of January 2026, the operation used nearly 250 malicious Android apps to target users in Malaysia, Thailand, Romania, and Croatia. The malware selectively activated based on the victim's SIM operator and used hidden WebViews, OTP interception, Wi‑Fi disabling, cookie theft, premium SMS abuse, and Telegram-based reporting to complete fraudulent subscriptions.
zLabs first detects Android carrier-billing fraud campaign
Zimperium's zLabs first observed a large Android malware operation in March 2025. The campaign used malicious apps posing as popular brands to target users for unauthorized carrier-billing and premium SMS charges.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Android Carrier Billing Fraud: zLabs Malware Alert
securityonline.info
Open sourceAndroid Malware Silently Subscribes Victims to Premium Services Without Consent - Cyber Security News
cybersecuritynews.com
Open sourceNew malware steals users' money through mobile phones: Report - The Economic Times
economictimes.indiatimes.com
Open sourcePremium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign
zimperium.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Mobile Malware Campaigns Targeting SMS/OTP and Identity Data
Multiple reports highlight evolving **Android** threats that abuse SMS/telephony access and advanced evasion to enable fraud, surveillance, and account takeover. CloudSEK described a shift from repackaged apps to **runtime manipulation** using the *LSPosed* framework, where a malicious module (e.g., **Digital Lutera**) hooks `SmsManager` and `TelephonyManager` to undermine India’s **UPI SIM-binding** controls. The technique can intercept registration tokens and 2FA, spoof device identity/phone number, and exfiltrate data to **Telegram**; it also uses **Socket.IO** for real-time C2 and can remotely inject fabricated SMS entries into the device’s “Sent” database to make bank backends believe a SIM is present on a different device, enabling scalable payment fraud and account takeover. Separately, Acronis TRU (reported by Hackread) identified a **fake Red Alert** rocket-warning app distributed via SMS lures impersonating Israel’s Home Front Command; the trojanized app displays legitimate alerts to reduce suspicion while requesting extensive permissions to steal **GPS location**, **SMS/OTP**, contacts, installed-app inventory, and on-device account details, then exfiltrates data to a remote server, including via **certificate spoofing** and UI tricks to appear Play Store-installed. Zimperium reported a new Android RAT, **SurxRAT**, that can download and run **LLM modules** from third-party repositories to automate phishing and social engineering and to interact with apps/UI for credential theft and data exfiltration, reinforcing the need for behavior-based mobile detection, tighter app controls, and stronger integrity enforcement (e.g., *Play Integrity API* with `MEETS_STRONG_INTEGRITY`) where applicable.
Mar 21, 2026
Mobile and Web Fraud Campaigns Impersonating Public Services to Steal Data
Multiple active fraud and malware operations are abusing *trusted themes and brands* to compromise users, with a heavy emphasis on mobile-first delivery via social engineering. Zimperium reported a **targeted Android spyware** operation delivered through a fake “dating” app promoted via social media and messaging links; once installed, the app requests broad permissions (e.g., SMS, contacts, media) to enable **surveillance and data exfiltration** including messages, location, and credentials. Separately, Zimperium also described an Android campaign that **hides a RAT inside artifacts presented as legitimate AI/ML components** hosted on trusted framework infrastructure, enabling attackers to bypass basic screening and gain persistent device control (data theft, screen capture, remote command execution). In parallel, CybersecurityNews summarized two public-service impersonation campaigns tied to “traffic ticket” lures. In India, attackers are mimicking **RTO e-challan** notifications distributed via WhatsApp and other messaging platforms to push off-store Android apps that steal financial and personal data; the malware reportedly uses a **three-stage modular architecture**, dynamic remote configuration, anti-analysis, and a **custom VPN tunnel** to conceal C2 and exfiltration, while prompting victims for high-risk permissions and to disable battery optimization for persistence. In Canada, a separate operation uses **SEO poisoning** and SMS/ad lures to drive victims to **fake provincial traffic ticket payment portals** (e.g., BC, Ontario, Quebec) that harvest PII and payment card data; Unit 42 attributed the activity to a broader fraud network using a phishing kit with a “waiting room” feature and infrastructure spanning **70+ domains**, including concentration on the `45.156.87.0/24` netblock.
Mar 21, 2026
Android Malware Leveraging Legitimate Apps for Surveillance and Theft
Threat actors have increasingly adopted sophisticated techniques to distribute Android malware by disguising malicious applications as legitimate ones on the Google Play Store and other platforms. Notably, the new Cellik Android RAT has been identified as turning legitimate Google Play apps into surveillance tools, enabling attackers to covertly monitor and exfiltrate sensitive user data. In parallel, operations involving the Wonderland SMS stealer have merged dropper, SMS theft, and RAT capabilities at scale, with attackers using fake Google Play Store pages, ad campaigns, and messaging apps to propagate malware, particularly targeting users in Uzbekistan. These campaigns often leverage Telegram for coordination and distribution, and employ advanced methods such as intercepting OTPs and exfiltrating contact lists to facilitate financial theft and evade detection. The evolution of Android malware now includes the use of droppers that appear harmless but deploy malicious payloads locally after installation, even without an active internet connection. The Wonderland malware, attributed to the TrickyWonders group, demonstrates bidirectional command-and-control communication, allowing real-time execution of commands and theft of SMS messages. The convergence of these techniques highlights a growing trend in mobile threat operations, where attackers exploit the trust in legitimate app platforms and social engineering to compromise devices, steal credentials, and siphon funds from victims' bank accounts.
Mar 21, 2026