Premium Deception: 250 Fake Android Apps Used in 10-Month Carrier Billing Fraud Campaign
A 10-month Android malware campaign dubbed 'Premium Deception' used nearly 250 fake apps to silently enroll victims in premium SMS subscriptions via carrier billing, primarily targeting users in Southeast Asia and Eastern Europe.
A 10-month Android malware campaign has used nearly 250 fake apps to sign victims up to premium services on their mobile bills, with hardcoded operator targeting for users in Malaysia, Thailand, Romania and Croatia.
According to new analysis from Zimperium's zLabs research team, the operation, dubbed Premium Deception by the mobile security company, ran from March 2025 to mid-January 2026. Portions of the infrastructure remain online at the time of publication. The fake apps impersonate widely recognized brands, including Facebook Messenger, Instagram Threads, TikTok, Minecraft and Grand Theft Auto.
zLabs identified three malware variants of escalating sophistication. The most advanced, deployed against Malaysian DiGi subscribers, automated the entire subscription workflow end to end. After reading the device's SIM operator code and matching it against a hardcoded list, the malware disables Wi-Fi to force traffic onto the cellular network, loads DiGi's official billing portal in a hidden WebView and runs JavaScript to click the "Request TAC" button, fill in the intercepted one-time password (OTP) and confirm the subscription. The OTP is then harvested through abuse of Google's SMS Retriever API, a legitimate Android feature designed to read confirmation codes automatically without prompting the user.
A second variant targeted Thai users with a multi-stage attack that fetched dynamic subscription targets from a command-and-control (C2) server, scheduled delayed SMS at 60 and 90-second intervals to defeat automated fraud detection and harvested session cookies from hidden carrier billing pages. A third variant added real-time Telegram reporting, with the bot pinging attackers whenever a device was infected, permissions were granted or a premium SMS is sent.
The campaign infrastructure points to a well-organized commercial operation. Each malicious sample embeds an HTTP referrer header in the format {FakeAppName}-{Country}-{Platform}-{OperatorCode}, allowing attackers to measure which fake personas and distribution channels (TikTok, Facebook, Google) drive the most successful infections. When deployed on a device whose SIM operator falls outside the target list, the malware silently displays a benign webview of apkafa.com to avoid suspicion and maintain persistence, an evasion pattern Zimperium maps to MITRE ATT&CK technique T1628.001.
zLabs identified at least 12 premium SMS short codes being abused across the four targeted countries, alongside C2 infrastructure spanning the modobomz[.]com and mwmze[.]com domains. The apps were distributed through third-party stores, bypassing Google Play's security checks. To defend against this and similar threats, users should avoid sideloading Android apps from third-party stores, audit installed apps against trusted brand names and review recent mobile bills for unexplained subscription charges.
Zimperium's analysis reveals three distinct malware variants in the campaign, with the most sophisticated targeting Malaysian users by abusing Google's SMS Retriever API to silently intercept OTPs and disabling Wi-Fi to force carrier billing traffic. The attackers also use Telegram for real-time reporting of infections, including device identifiers and distribution platform metrics, indicating a well-organized operation with live campaign optimization.