TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security GitHub Confirms Breach, 4K Internal Repos Stolen GitHub Confirms Breach, 4K Internal Repos Stolen by Alexander Culafi May 20, 2026 3 Min Read Cybersecurity Operations Interpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle East Interpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle East by Robert Lemos May 20, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Mobile Security Endpoint Security Remote Workforce Threat Intelligence News Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs. The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptions. Jai Vijayan , Contributing Writer May 20, 2026 5 Min Read Source: Stockinq via Shutterstock A financially motivated threat actor is targeting Android users in Malaysia, Thailand, Romania, and Croatia with malware that covertly enrolls victims in premium, carrier-billed services. The campaign involves nearly 250 Android apps that selectively target users based on their specific mobile service provider and geographic location, according to researchers at Zimperium . The malware — disguised as popular applications such as Messenger, TikTok, Minecraft, and Grand Theft Auto — uses WebView automation, JavaScript injection, and OTP interception to avoid user interaction and complete fraudulent subscription workflows in the background. A Sneaky, Persistent Campaign Zimperium's analysis showed that, once opened, each of the malicious apps first read the device's SIM card information to identify the victim's mobile operator. The fraud workflow activated only if the operator matched a list of hardcoded targets, including DiGi, Celcom, Maxis, and U Mobile in Malaysia. If the device belonged to a non-targeted carrier, the malicious app simply displayed a harmless Web page and avoided any behavior that might trigger detection, Zimperium said. Related: Will AI Save Consumers From Smartphone-Based Phishing Attacks? The campaign appears to have begun in March 2025 and remained highly active through at least the second week of January, with parts of its infrastructure still operational today. "The zLabs team identified three distinct malware variants in this campaign, each demonstrating different levels of sophistication in how they silently subscribe victims to premium services once the user has unwittingly downloaded the malicious app masquerading as a trusted brand," Zimperium said. The most technically sophisticated variant, the vendor's analysis showed, was the one targeting Malaysian users, because it automated the entire subscription process. When carrier billing required a one-time password, the malware displayed a fake verification prompt designed to trick users into entering a code for authenticating what appeared to be a game account, while actually they were authorizing a paid subscription in the background. Leveraging Legitimate Components to Bypass Users Zimperium found the malware variant abusing Google's SMS Retriever API — a feature to help apps automatically detect one-time passwords — to silently capture OTPs and then use them for billing confirmation, all without any user interaction. The malware also silently disables the victim device's Wi-Fi connection to force all traffic through the cellular network, which often is key for carrier billing authentication, Zimperium said. Related: Supply Chain Attack Embeds Malware in Android Devices The second variant targets Thai users via an approach that combines direct SMS fraud with browser session hijacking. The malware first confirms if the victim is using a specific Thai mobile carrier and then automatically sends SMS messages to paid service numbers to sign the user up for multiple subscriptions. Zimperium found the malware using a legitimate looking Web page to keep the victim occupied. In the background, hidden WebViews — which mobile apps use to display and interact with Web content inside a mobile app — accessed carrier billing portals, stole session cookies, and maintained authenticated sessions without user input. The third variant combined the subscription fraud capabilities of the first two with a real-time reporting system built on Telegram. The malware immediately notified operators of every significant action, including installation, permission grants, and successful premium SMS transmission. Each notification contained the device identifier, the fake app name the victim had installed, which distribution platform had delivered the infection, which mobile operator the victim used, and a time stamp. This gave the operators live visibility into which fake app identities and distribution channels were generating the most successful infections. The attackers monitored malicious app distribution across TikTok, Facebook, and Google. Related: Predator Spyware Sample Indicates 'Vendor-Controlled' C2 "This systematic approach indicates a well-organized operation with clear metrics tracking for campaign optimization," Zimperium said. "Attackers can identify which social platforms and fake app personas yield the highest conversion rates." Controls Can't Keep Up With Abuse The campaign represents a shared failure of controls across the entire mobile ecosystem and is more than just a simple user awareness issue said Vineeta Sangaraju, AI research engineer at Black Duck, in emailed comments. The attacker's abuse of Google's SMS Retriever API to silently intercept OTP and of the WebView component to automate fraudulent subscription workflows highlight recurring problems in the mobile app industry, she said. "These are not obscure attack surfaces, they are documented, widely used platform features, and the controls governing their use have not kept pace with their abuse potential." The campaign also points to a continued mobile weakness in app store vetting, and it's noteworthy that fake apps remain easy to host on legitimate application distribution platforms. "For security teams, especially in organizations that allow BYOD, the practical response is to enforce app installation exclusively from official stores," Sangaraju said. The campaign is significant for enterprise organizations because mobile devices carry corporate email accounts, single sign-on (SSO) sessions, and multifactor authentication (MFA) codes, added Shane Barney, chief information security officer (CISO) at Keeper Security. "This attack isn't sophisticated in the traditional sense — it doesn't rely on breaking encryption or exploiting a zero-day. Instead, it intercepts SMS-based one-time passwords, which organizations continue to utilize despite being widely recognized as a weak form of MFA," Barney said in a statement. The campaign underscores the growing exposure that organizations have to contend with from mobile device users. Verizon's 2026 Data Breach Investigations Report ( DBIR ) showed that mobile-centric social engineering — like SMS and voice-based attacks— were 40% more effective at getting users to engage than email-based phishing lures. Verizon's research showed that the median number of times mobile devices in large organizations were targeted in SMS attacks last year was 48 and presented a way for attackers to bypass phishing protections and directly reach users, Verizon said. "Threat actors continue to largely leverage email-based phishing attacks to compromise organizations; however, these attacks are getting more complex as attackers are targeting mobile devices and other unconventional vectors to reach victims," the company warned. About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies. Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders. Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award