A financially motivated threat actor is targeting Android users in Malaysia, Thailand, Romania, and Croatia with malware that covertly enrolls victims in premium, carrier-billed services.
The campaign involves nearly 250 Android apps that selectively target users based on their specific mobile service provider and geographic location, according to researchers at Zimperium. The malware — disguised as popular applications such as Messenger, TikTok, Minecraft, and Grand Theft Auto — uses WebView automation, JavaScript injection, and OTP interception to avoid user interaction and complete fraudulent subscription workflows in the background.
A Sneaky, Persistent Campaign
Zimperium’s analysis showed that, once opened, each of the malicious apps first read the device’s SIM card information to identify the victim’s mobile operator. The fraud workflow activated only if the operator matched a list of hardcoded targets, including DiGi, Celcom, Maxis, and U Mobile in Malaysia. If the device belonged to a non-targeted carrier, the malicious app simply displayed a harmless Web page and avoided any behavior that might trigger detection, Zimperium said.
The campaign appears to have begun in March 2025 and remained highly active through at least the second week of January, with parts of its infrastructure still operational today.
“The zLabs team identified three distinct malware variants in this campaign, each demonstrating different levels of sophistication in how they silently subscribe victims to premium services once the user has unwittingly downloaded the malicious app masquerading as a trusted brand,” Zimperium said.
The most technically sophisticated variant, the vendor’s analysis showed, was the one targeting Malaysian users, because it automated the entire subscription process. When carrier billing required a one-time password, the malware displayed a fake verification prompt designed to trick users into entering a code for authenticating what appeared to be a game account, while actually they were authorizing a paid subscription in the background.
Leveraging Legitimate Components to Bypass Users
Zimperium found the malware variant abusing Google’s SMS Retriever API — a feature to help apps automatically detect one-time passwords — to silently capture OTPs and then use them for billing confirmation, all without any user interaction. The malware also silently disables the victim device’s Wi-Fi connection to force all traffic through the cellular network, which often is key for carrier billing authentication, Zimperium said.
The second variant targets Thai users via an approach that combines direct SMS fraud with browser session hijacking. The malware first confirms if the victim is using a specific Thai mobile carrier and then automatically sends SMS messages to paid service numbers to sign the user up for multiple subscriptions. Zimperium found the malware using a legitimate looking Web page to keep the victim occupied. In the background, hidden WebViews — which mobile apps use to display and interact with Web content inside a mobile app — accessed carrier billing portals, stole session cookies, and maintained authenticated sessions without user input.
The third variant combined the subscription fraud capabilities of the first two with a real-time reporting system built on Telegram. The malware immediately notified operators of every significant action, including installation, permission grants, and successful premium SMS transmission. Each notification contained the device identifier, the fake app name the victim had installed, which distribution platform had delivered the infection, which mobile operator the victim used, and a time stamp. This gave the operators live visibility into which fake app identities and distribution channels were generating the most successful infections. The attackers monitored malicious app distribution across TikTok, Facebook, and Google.
“This systematic approach indicates a well-organized operation with clear metrics tracking for campaign optimization,” Zimperium said. “Attackers can identify which social platforms and fake app personas yield the highest conversion rates.”
Controls Can’t Keep Up With Abuse
The campaign represents a shared failure of controls across the entire mobile ecosystem and is more than just a simple user awareness issue said Vineeta Sangaraju, AI research engineer at Black Duck, in emailed comments. The attacker’s abuse of Google’s SMS Retriever API to silently intercept OTP and of the WebView component to automate fraudulent subscription workflows highlight recurring problems in the mobile app industry, she said. “These are not obscure attack surfaces, they are documented, widely used platform features, and the controls governing their use have not kept pace with their abuse potential.” The campaign also points to a continued mobile weakness in app store vetting, and it’s noteworthy that fake apps remain easy to host on legitimate application distribution platforms. “For security teams, especially in organizations that allow BYOD, the practical response is to enforce app installation exclusively from official stores,” Sangaraju said.
The campaign is significant for enterprise organizations because mobile devices carry corporate email accounts, single sign-on (SSO) sessions, and multifactor authentication (MFA) codes, added Shane Barney, chief information security officer (CISO) at Keeper Security. “This attack isn’t sophisticated in the traditional sense — it doesn’t rely on breaking encryption or exploiting a zero-day. Instead, it intercepts SMS-based one-time passwords, which organizations continue to utilize despite being widely recognized as a weak form of MFA,” Barney said in a statement.
The campaign underscores the growing exposure that organizations have to contend with from mobile device users. Verizon’s 2026 Data Breach Investigations Report (DBIR) showed that mobile-centric social engineering — like SMS and voice-based attacks— were 40% more effective at getting users to engage than email-based phishing lures. Verizon’s research showed that the median number of times mobile devices in large organizations were targeted in SMS attacks last year was 48 and presented a way for attackers to bypass phishing protections and directly reach users, Verizon said. “Threat actors continue to largely leverage email-based phishing attacks to compromise organizations; however, these attacks are getting more complex as attackers are targeting mobile devices and other unconventional vectors to reach victims,” the company warned.

Comments are closed