A global mobile billing fraud campaign has been targeting Android users by silently subscribing them to expensive premium text services. Zimperium zLabs, which reported this campaign, has identified around 250 malicious applications involved in this operation.
These apps are designed for carrier billing fraud through premium SMS abuse. It has been active for nearly ten months, with the first detection in March 2025 and the most recent one in the second week of January 2026.
Precise Operator Validation and Brand Lures
One of the campaign’s more notable features was its operator-level targeting. Researchers found that the malware specifically focused on mobile carriers across four countries:
- Thailand (including TrueMove H)
- Croatia (A1/VIP, Telemach, T-Mobile)
- Romania (Vodafone, Orange, Telekom)
- Malaysia (DiGi, Celcom, Maxis, U Mobile)
Before launching the fraud workflow, the malicious apps checked the infected device’s SIM card to verify the user’s mobile network operator. This allowed the malware to activate only on targeted carrier networks while avoiding unnecessary exposure on unsupported devices
To achieve initial access, the attackers relied on a multi-platform distribution strategy built around social engineering lures. They created fake applications impersonating widely recognized brands, including Facebook Messenger, Instagram Threads, TikTok, Minecraft, and Grand Theft Auto (GTA).
If the malware was installed on a non-targeted network, a fallback mechanism displayed a benign webview of apkafa.com to reduce suspicion and evade detection.
Automated Workflows and Security Bypasses
When a matched operator was found, the malware initiated automated workflows to force premium subscriptions. The software programmatically disabled Wi-Fi to force data traffic through cellular paths required for billing authentication.
For DiGi users, it loaded hidden background WebViews and executed JavaScript injection to click the “Request TAC” button, auto-fill verification codes, and click “Confirm.” To bypass security checkpoints, it abused Google’s SMS Retriever API to intercept One-Time Passwords (OTPs) and Transaction Authentication Codes (TACs) without user awareness.
According to zLabs researcher and blog post author Rajat Goyal, the team identified three distinct malware variants driving the operation:
- Variant 1: Fully automate the hidden WebView subscription process. For Maxis and U Mobile users, it sent premium SMS messages with keywords like “ON HITZ”, “ON GAM1”, or “ON A3” to short codes like +33293, +32133, and 32128.
- Variant 2: Targeted Thai users via a multi-stage engine fetching targets from a C2 server, and sends premium SMS messages at delayed 60-second and 90-second intervals to evade fraud detection. This variant also used Android’s CookieManager API to steal cookies and maintain authenticated sessions on the TrueMove H portal.
- Variant 3: This integrates real-time reporting using the Telegram Bot API to instantly exfiltrate device metadata, installation status, and subscription confirmations to a private Telegram channel.
Infrastructure and Campaign Tracking
The primary C2 domains used for workflows and exfiltration included apizep.mwmze.com and modobomz.com, while the operation relied on a tracking system embedded in custom HTTP referrer headers following a strict pattern: https://{FakeAppName}-{Country}-{Platform}-{OperatorCode}.
This allowed attackers to run data analytics on which platforms and personas yielded the highest infection rates. Across target regions, zLabs mapped at least 12 premium SMS short codes and keywords, such as “GYGO” to 866866 in Croatia, or “MOGA” and “DA” to codes like +1280 and 4541545 in Romania.
Experts’ Perspectives
Commenting on the discovery, industry experts shared their insights with Hackread.com, warning that the campaign exposes broader flaws in the mobile security environment.
Vineeta Sangaraju, AI Research Engineer at Black Duck, explained that the scope of the problem extends past individual errors. “This campaign is a managed fraud operation. It should be read as a shared failure of controls across the entire mobile ecosystem – platform, carrier, and app distribution layer, and not simply a user awareness problem,” Sangaraju said.
“The abuse of Google’s SMS Retriever API, originally designed to assist users with legitimate authentication flows, to silently harvest OTP confirmations, illustrates a recurring problem in the mobile app industry that platform APIs grant broad access without requiring appropriate transparency or warning to the user. The permission was implicitly granted; the user had no meaningful visibility into how it was being used. Equally, the WebView component that enables legitimate in-app browsing experiences is here weaponized to automate subscription workflows,“ Sangaraju added while highlighting specific architectural loopholes used by the threat actors
Shane Barney, Chief Information Security Officer at Keeper Security, noted that the persistence and structural setup of the attack distinguish it from typical fraud setups. “Carrier billing fraud isn’t new; however, the Android malware campaign uncovered by Zimperium zLabs is worth taking note of because of how deliberately it was built to last,” Barney said.
“Ten months of sustained operations, nearly 250 applications, and a referrer-tracking system designed to measure which fake app personas and social platforms generated the highest infection rates. These threat actors weren’t rushing, they were optimizing – and that distinction matters for how security teams should think about the threat.”
Barney also emphasised that the reliance on old verification systems makes these operations highly profitable. “This attack isn’t sophisticated in the traditional sense – it doesn’t rely on breaking encryption or exploiting a zero-day. Instead, it intercepts SMS-based one-time passwords, which organizations continue to utilize despite being widely recognized as a weak form of MFA. Attackers are now building sustained, professional operations around this weakness,” Barney concluded.
