Android Malware Auto-Subscribes Users to Silently Victims
A newly uncovered Android malware campaign is quietly draining money from mobile users across four countries. This insidious threat operates by silently subscribing victims to premium paid services...
A newly uncovered Android malware campaign is quietly draining money from mobile users across four countries. This insidious threat operates by silently subscribing victims to premium paid services they never authorized, leading to unexpected charges, as detailed in recent research findings.
The operation ran for nearly ten months and carried out financial fraud entirely behind the scenes, using fake versions of well-known apps as its primary entry point into victims’ devices.
The campaign targeted users in Malaysia, Thailand, Romania, and Croatia, focusing specifically on people subscribed to particular mobile network operators.
Instead of broadly attacking any Android device it landed on, the malware checked a victim’s SIM card first and only acted if the carrier matched a pre-set list. This precision made the fraud far harder to detect and far more effective at avoiding security attention.
Analysts at Zimperium said in a report shared with Cyber Security News (CSN) that their zLabs team discovered nearly 250 malicious applications tied to this campaign.
The malware exploited carrier billing systems, which allow mobile operators to charge users directly through their phone bills rather than requiring a credit card.
The campaign first appeared in March 2025 and remained active through January 2026. Even after parts of the operation were identified, some supporting infrastructure was still live at the time of publication.
Fake apps impersonated Facebook Messenger, Instagram Threads, TikTok, Minecraft, and Grand Theft Auto to trick users into installation.
What made this campaign especially dangerous was its use of real platform names and icons to appear completely trustworthy.
Once installed, the app carried out its work while displaying innocent-looking content to keep victims fully unaware. Users had no reason at all to suspect anything was wrong.
Android Malware Silently Subscribes Victims
The zLabs team identified three distinct malware variants, each using a different method to complete unauthorized subscriptions.
The most advanced variant started by reading the victim’s mobile operator from SIM card data, then launched an automated subscription workflow without any visible sign of activity to the user.
This first variant used hidden web pages loaded in the background, all pointing to carrier billing portals. JavaScript commands automatically clicked the subscription button, filled in intercepted OTP codes, and confirmed the transaction.
The malware also disabled the device’s Wi-Fi, forcing all traffic through the cellular network required for carrier billing to succeed. The second variant targeted Thai users and combined silent SMS fraud with browser session hijacking.
It contacted a remote server for updated subscription instructions, allowing attackers to change targets without pushing a new app version. It also stole browser cookies from carrier billing pages to maintain authenticated access to victims’ accounts.
A third variant added real-time reporting through Telegram. Each time the malware installed itself, gained permissions, or sent a premium SMS, it fired an instant message to a private channel controlled by the attackers. Each report included the device ID, carrier name, fake app identity, and the specific action performed.
Across all three variants, a referrer tracking system tagged every infection with the fake app name, country, and distribution platform. This gave attackers detailed metrics on which fake apps and social platforms were producing the most successful infections.
Evasion Tactics and Staying Protected
One of the cleverest features of this malware was its behavior on non-targeted devices. Instead of going inactive, the app loaded a harmless webpage to appear completely normal, keeping the malicious apps alive on devices far longer than expected.
To protect against threats like this, users should only download apps from official stores and be cautious of any app requesting SMS reading permissions.
Checking phone bills regularly for unfamiliar charges is a practical way to catch unauthorized subscriptions early. Keeping mobile security software updated adds another important layer of defense against carrier billing fraud.
Indicators of Compromise (IoCs):-
The following infrastructure indicators were identified by Zimperium’s zLabs team as part of this carrier billing fraud campaign.
| Type | Indicator | Description |
|---|---|---|
| Domain | apizep.mwmze[.]com | Hosts DiGi carrier billing subscription pages |
| Domain | modobomz[.]com | Central referrer tracking and campaign analytics |
| Domain | api.modobomco[.]com | Alternative command and control endpoint |
| Domain | onesignalmdb.modobomz[.]com | Victim tracking and referrer validation hub; returns shortcode and keyword for device to send |
| Domain | onesignal.mwmze[.]com | Device metadata and carrier billing HTML source exfiltration |
| Domain | apkafa[.]com | Benign fallback webpage displayed on non-targeted devices to avoid detection |
| SMS Short Code | +33293 | Premium SMS short code used for Malaysia (Maxis) — keyword: ON HITZ |
| SMS Short Code | +32133 | Premium SMS short code used for Malaysia (Maxis) — keyword: ON GAM1 |
| SMS Short Code | 32128 | Premium SMS short code used for Malaysia (U Mobile) — keyword: ON A3 |
| SMS Short Code | +1280 (x3) | Premium SMS short codes used for Romania (Vodafone, Orange, Telekom) |
| SMS Short Code | 4541545 / +4541341 / +4541753 / +4541370 / +4541587 / +4541162 / +4541352 / +4541544 | Additional Romania premium SMS short codes — keywords: MOGA, DA, CYGA, OK, FUVI, BM, GET, CC, VGF, HIH, RTH |
| SMS Short Code | 866866 | Premium SMS short code used for Croatia — keyword: GYGO |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.