blog May 20, 2026 Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign Rajat Goyal Executive Summary zLabs has identified a sophisticated Android malware campaign conducting carrier billing fraud through premium SMS abuse across Malaysia, Thailand, Romania, and Croatia . The campaign comprises almost 250 malicious applications that selectively target users based on their mobile operator, silently subscribing victims to premium services without consent. The malware demonstrates advanced evasion and automation capabilities, including: Precise regional targeting with hardcoded SIM operator validation Automated subscription workflows using WebView manipulation and JavaScript injection One time password (OTP) interception via abuse of Google's SMS Retriever API Multi-platform distribution with fake apps impersonating Facebook, Instagram, TikTok, Minecraft, and Grand Theft Auto (GTA) Telegram-based exfiltration of device metadata and subscription confirmations When deployed on devices with non-targeted operators, the malware employs a fallback mechanism to display benign content, thereby evading detection and maintaining persistence. As shown in Figure 1 , the campaign utilizes a wide array of impersonated app icons—ranging from popular games like Minecraft and GTA to social media platforms—to lure victims into installation. Figure 1. Impersonation apps observed in this campaign The Reach: Four Countries, Millions at Risk The campaign demonstrates deliberate geographic and carrier-specific targeting with the threat actors hardcoding extensive lists of mobile operators across four countries. Detailed distribution of these operators and geographic targets is shown in Figure 2. Figure 2. Operator and Geographic Targeting Distribution The campaign was first detected in March 2025 and remained active through the second week of January 2026, representing approximately 10 months of sustained fraudulent operations, as detailed in Figure 3 : Figure 3. Malware samples found over the period of time As of publication, portions of the infrastructure remain operational. To maximise infection rates, the threat actors disguised their malware as popular social media platforms and gaming applications. The fake apps impersonated widely recognised brands, including Facebook Messenger, Instagram Threads, TikTok, Minecraft, GTA , and other trending games and utilities. Inside the Attack: Three Malware Variants Dissected The zLabs team identified three distinct malware variants in this campaign, each demonstrating different levels of sophistication in how they silently subscribe victims to premium services once the user has unwittingly downloaded the malicious app masquerading as a trusted brand. Variant 1: Automated Subscription Engine This variant represents the most sophisticated approach, combining multiple deception techniques to complete premium service subscriptions entirely without user knowledge. It first checks which mobile carrier the victim is using by reading the device's SIM card information. It compares this against a hardcoded list of targeted operators across Malaysia, including DiGi, Celcom, Maxis, and U Mobile, as shown in Figure 4 . If a match is found, the fraud workflow begins. If not, the app displays a harmless webview of the apkafa[.]com webpage to avoid suspicion. Figure 4. Hardcoded comparison of the SIM operators For DiGi subscribers, the malware employs a particularly clever social engineering tactic. When carrier billing requires an OTP for subscription confirmation, the malware displays a fake dialog box in Malay language that reads: As seen in Figure 5 , victims believe they're authenticating for a game account, when in reality they're authorizing a paid subscription. Figure 5. Deceptive screen displaying and loading a hidden webview, requesting permission from the user on the next screen. It also abuses Google's SMS Retriever API , a legitimate feature designed to help apps automatically read OTP messages for user convenience. While Google intended this for legitimate authentication workflows, the threat actors weaponised it to intercept carrier billing confirmation codes without the user's awareness. Behind the scenes, the malware loads hidden web pages pointing to DiGi's official carrier billing portal. The malware then uses JavaScript commands to perform the following automated actions ( Figure 6 ): Click the "Request TAC" (OTP) button Fill in the intercepted OTP code Click the final "Confirm" button This entire process happens quickly, completing the premium subscription without any visible interaction. Figure 6. Code snippet responsible for doing the auto click mechanism To ensure the fraud succeeds, the malware programmatically disables the device's WiFi connection. This forces all traffic through the cellular network, which is required for carrier billing authentication to work properly. For Maxis subscribers, the malware uses a simpler approach: it sends premium SMS messages to short codes like +33293 (keyword: "ON HITZ") or +32133 (keyword: "ON GAM1"), randomly selecting between two different premium services to avoid detection patterns. A similar approach is followed for U Mobile users. The malware sends "ON A3" to shortcode 32128 . Variant 2: Multi-Stage Subscription Engine with Cookie Theft This variant specifically targets Thai users through a sophisticated multi-stage attack combining SMS fraud with browser hijacking. Once the malware identifies a targeted Thai operator, it immediately sends premium SMS messages to several short codes, subscribing victims to multiple services within seconds of granting permissions. Rather than using fixed targets, the malware contacts the attackers' server to fetch updated subscription instructions, as shown in Figure 7 . This remote control capability allows threat actors to change targets without updating the app, test new services, and avoid detection. Figure 7. Server response with dynamic subscription targets To evade carrier fraud detection, the malware doesn't send all messages at once. Instead, it schedules delayed messages at 60 seconds and 90 seconds after the initial burst. This timing makes the activity appear less automated and harder to detect. While the SMS fraud occurs silently, the app must keep the victim distracted. In the foreground, the victim sees a legitimate-looking webpage (such as the APKafe portal interface, as shown in Figure 5 ). However, while the user interacts with this visible webpage, the malware secretly loads hidden WebViews in the background to access additional carrier billing portals. Figure 8. Hidden pages loaded in background For TrueMove H users, the malware employs an advanced cookie-stealing technique. It disables WiFi to force a cellular connection, then loads the carrier's billing page invisibly. As the hidden WebView loads these pages, the browser naturally stores session cookies. The malware then extracts these cookies using Android's CookieManager API and can use them to maintain authenticated sessions with the carrier's billing system. Throughout this process, the malware captures the HTML source of every page loaded in the background and sends it to the attackers' server, as shown in Figure 9 . This allows them to monitor which techniques work and improve their attacks over time. Figure 9. HTML Content exfiltrated to the attackers C2 To maintain the illusion of legitimacy, the visible webpage automatically clicks on random links and scrolls through content, mimicking normal browsing behaviour while the fraud happens invisibly. Variant 3: Real-Time Telegram Reporting This variant combines the SMS fraud capabilities of previous variants with instant notification to attackers via Telegram, giving them real-time visibility into successful infections. Every time the malware completes a significant action, such as installation, gaining permissions, or sending a premium SMS, it immediately sends a report to a private Telegram channel controlled by the threat actors. Each report contains the device identifier, timestamp, fake app name, distribution source, mobile operator, and the specific action that occurred. Figure 10 shows the data exfiltrated by the malware. Figure 10. Victim device data sent via Telegram Bot API The Telegram integration provides several advantages for the attackers: receiving instant notifications when new victims install the malware, allows tracking which distribution channels are most effective, and monitoring any technical errors in real-time. The Criminal Infrastructure: Command, Control, and Cash-Out The threat actors operate a distributed infrastructure of domains serving different functions in the fraud workflow. The primary command and control servers handle subscription automation, victim tracking, and data exfiltration. The threat actors operate a distributed infrastructure of domains serving different functions in the fraud workflow. The primary command and control servers handle subscription automation, victim tracking, and data exfiltration. Primary C2 Domains: apizep.mwmze[.]com - Hosts DiGi carrier billing subscription pages modobomz[.]com - Central referrer tracking and campaign analytics api.modobomco[.]com - Alternative command and control endpoint onesignalmdb.modobomz[.]com - Victim tracking and referrer validation hub, also returns the shortcode and keyword to be sent from the device onesignal.mwmze[.]com - Device metadata and carrier billing HTML source exfiltration The DiGi-specific subscription URLs follow a consistent pattern, redirecting victims through the attacker's infrastructure before landing on legitimate carrier billing portals: These intermediate URLs allow the attackers to log each subscription attempt before the final carrier confirmation. Premium SMS Destinations Across all variants, zLabs identified at least 12 distinct premium SMS short codes being exploited by the campaign. The table below shows a bunch of destinations and associ