Android Malware Silently Subscribes Victims to Premium Services Without Consent

A newly uncovered Android malware campaign has been quietly draining money from mobile users across four countries by signing them up for paid services they never asked for.

The operation ran for nearly ten months and carried out financial fraud entirely behind the scenes, using fake versions of well-known apps as its primary entry point into victims’ devices.

The campaign targeted users in Malaysia, Thailand, Romania, and Croatia, focusing specifically on people subscribed to particular mobile network operators.

Instead of broadly attacking any Android device it landed on, the malware checked a victim’s SIM card first and only acted if the carrier matched a pre-set list. This precision made the fraud far harder to detect and far more effective at avoiding security attention.

Analysts at Zimperium said in a report shared with Cyber Security News (CSN) that their zLabs team discovered nearly 250 malicious applications tied to this campaign.

The malware exploited carrier billing systems, which allow mobile operators to charge users directly through their phone bills rather than requiring a credit card.

The campaign first appeared in March 2025 and remained active through January 2026. Even after parts of the operation were identified, some supporting infrastructure was still live at the time of publication.

Fake apps impersonated Facebook Messenger, Instagram Threads, TikTok, Minecraft, and Grand Theft Auto to trick users into installation.

What made this campaign especially dangerous was its use of real platform names and icons to appear completely trustworthy.

Once installed, the app carried out its work while displaying innocent-looking content to keep victims fully unaware. Users had no reason at all to suspect anything was wrong.

Android Malware Silently Subscribes Victims

The zLabs team identified three distinct malware variants, each using a different method to complete unauthorized subscriptions.

The most advanced variant started by reading the victim’s mobile operator from SIM card data, then launched an automated subscription workflow without any visible sign of activity to the user.

This first variant used hidden web pages loaded in the background, all pointing to carrier billing portals. JavaScript commands automatically clicked the subscription button, filled in intercepted OTP codes, and confirmed the transaction.

The malware also disabled the device’s Wi-Fi, forcing all traffic through the cellular network required for carrier billing to succeed. combined silent SMS fraud with browser session hijacking.

It contacted a remote server for updated subscription instructions, allowing attackers to change targets without pushing a new app version. It also stole browser cookies from carrier billing pages to maintain authenticated access to victims’ accounts.

A third variant added real-time reporting through Telegram. Each time the malware installed itself, gained permissions, or sent a premium SMS, it fired an instant message to a private channel controlled by the attackers. Each report included the device ID, carrier name, fake app identity, and the specific action performed.

Across all three variants, a referrer tracking system tagged every infection with the fake app name, country, and distribution platform. This gave attackers detailed metrics on which fake apps and social platforms were producing the most successful infections.

Evasion Tactics and Staying Protected

One of the cleverest features of this malware was its behavior on non-targeted devices. Instead of going inactive, the app loaded a harmless webpage to appear completely normal, keeping the malicious apps alive on devices far longer than expected.

To protect against threats like this, users should only download apps from official stores and be cautious of any app requesting SMS reading permissions.

Checking phone bills regularly for unfamiliar charges is a practical way to catch unauthorized subscriptions early. Keeping mobile security software updated adds another important layer of defense against carrier billing fraud.

Indicators of Compromise (IoCs):-

The following infrastructure indicators were identified by Zimperium’s zLabs team as part of this carrier billing fraud campaign.

Type	Indicator	Description
Domain	apizep.mwmze[.]com	Hosts DiGi carrier billing subscription pages
Domain	modobomz[.]com	Central referrer tracking and campaign analytics
Domain	api.modobomco[.]com	Alternative command and control endpoint
Domain	onesignalmdb.modobomz[.]com	Victim tracking and referrer validation hub; returns shortcode and keyword for device to send
Domain	onesignal.mwmze[.]com	Device metadata and carrier billing HTML source exfiltration
Domain	apkafa[.]com	Benign fallback webpage displayed on non-targeted devices to avoid detection
SMS Short Code	+33293	Premium SMS short code used for Malaysia (Maxis) — keyword: ON HITZ
SMS Short Code	+32133	Premium SMS short code used for Malaysia (Maxis) — keyword: ON GAM1
SMS Short Code	32128	Premium SMS short code used for Malaysia (U Mobile) — keyword: ON A3
SMS Short Code	+1280 (x3)	Premium SMS short codes used for Romania (Vodafone, Orange, Telekom)
SMS Short Code	4541545 / +4541341 / +4541753 / +4541370 / +4541587 / +4541162 / +4541352 / +4541544	Additional Romania premium SMS short codes — keywords: MOGA, DA, CYGA, OK, FUVI, BM, GET, CC, VGF, HIH, RTH
SMS Short Code	866866	Premium SMS short code used for Croatia — keyword: GYGO

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.