A sophisticated mobile billing fraud campaign has been quietly draining Android users’ wallets by secretly enrolling them in expensive premium SMS services — all without their knowledge or consent. Discovered by cybersecurity researchers at Zimperium zLabs, the operation involved roughly 250 malicious applications and ran undetected for nearly ten months, first surfacing in March 2025 and remaining active into January 2026.
How the Attack Worked
The malware was engineered to commit carrier billing fraud by exploiting the premium SMS billing infrastructure used by mobile network operators. Before executing its fraud workflow, each malicious app first verified the victim’s SIM card to confirm they were subscribed to a targeted mobile carrier. If the device wasn’t on a supported network, the app would quietly load a benign-looking webpage to avoid raising suspicion.
Targeted carriers spanned four countries: Thailand (TrueMove H), Croatia (A1/VIP, Telemach, T-Mobile), Romania (Vodafone, Orange, Telekom), and Malaysia (DiGi, Celcom, Maxis, U Mobile). This precision targeting allowed the threat actors to maximize their fraud returns while minimizing detection risk.
The Deception Layer
To lure victims into installing these malicious apps, attackers impersonated well-known brands including Facebook Messenger, Instagram Threads, TikTok, Minecraft, and Grand Theft Auto. These convincing fakes were distributed across multiple platforms using social engineering tactics designed to exploit user trust.
Once installed on a targeted device, the malware disabled Wi-Fi to force cellular data connections required for carrier billing authentication. It then used hidden WebViews and JavaScript injection to silently click subscription buttons, auto-fill verification codes, and confirm premium service enrollments — all invisible to the user. To intercept one-time passwords (OTPs) and Transaction Authentication Codes (TACs), the malware abused Google’s SMS Retriever API, a tool originally designed to streamline legitimate authentication flows.
Three Variants, One Goal
Researchers identified three distinct malware variants driving the campaign. The first fully automated hidden WebView-based subscription fraud and sent premium SMS keywords to short codes. The second targeted Thai users via a multi-stage engine that fetched targets from a command-and-control (C2) server, introduced deliberate delays between actions to evade fraud detection, and even stole browser cookies to maintain authenticated sessions. The third variant integrated real-time reporting via the Telegram Bot API, instantly exfiltrating device data and subscription confirmations to a private Telegram channel operated by the attackers.
Infrastructure and Expert Reactions
The campaign’s C2 infrastructure relied on domains such as apizep.mwmze.com and modobomz.com. A custom HTTP referrer tracking system allowed the threat actors to analyze which fake app identities and social platforms generated the highest infection rates — a hallmark of a professionally managed operation.
Industry experts reacted strongly to the findings. Vineeta Sangaraju of Black Duck called it “a shared failure of controls across the entire mobile ecosystem — platform, carrier, and app distribution layer.” She specifically highlighted the abuse of Google’s SMS Retriever API as a systemic problem, noting that users had no meaningful visibility into how that permission was being exploited.
Shane Barney, CISO at Keeper Security, pointed out the campaign’s deliberate, optimized nature. “Ten months of sustained operations, nearly 250 applications, and a referrer-tracking system designed to measure which fake app personas yielded the highest infection rates — these threat actors weren’t rushing, they were optimizing,” Barney said. He also stressed that the continued reliance on SMS-based OTPs makes users vulnerable to exactly this type of sustained fraud operation.
What You Should Do
Android users should only install apps from the official Google Play Store, scrutinize app permissions carefully, review monthly phone bills for unexpected charges, and consider using mobile security solutions capable of detecting behavioral anomalies. Carriers and platform providers must also take greater responsibility in closing the systemic gaps that make these attacks not just possible, but profitable.
