Executive Summary
zLabs has identified a sophisticated Android malware campaign conducting carrier billing fraud through premium SMS abuse across Malaysia, Thailand, Romania, and Croatia. The campaign comprises almost 250 malicious applications that selectively target users based on their mobile operator, silently subscribing victims to premium services without consent.
The malware demonstrates advanced evasion and automation capabilities, including:
- Precise regional targeting with hardcoded SIM operator validation
- Automated subscription workflows using WebView manipulation and JavaScript injection
- One time password (OTP) interception via abuse of Google's SMS Retriever API
- Multi-platform distribution with fake apps impersonating Facebook, Instagram, TikTok, Minecraft, and Grand Theft Auto (GTA)
- Telegram-based exfiltration of device metadata and subscription confirmations
When deployed on devices with non-targeted operators, the malware employs a fallback mechanism to display benign content, thereby evading detection and maintaining persistence.
As shown in Figure 1, the campaign utilizes a wide array of impersonated app icons—ranging from popular games like Minecraft and GTA to social media platforms—to lure victims into installation.
Figure 1. Impersonation apps observed in this campaign
The Reach: Four Countries, Millions at Risk
The campaign demonstrates deliberate geographic and carrier-specific targeting with the threat actors hardcoding extensive lists of mobile operators across four countries.
Detailed distribution of these operators and geographic targets is shown in Figure 2.
Figure 2. Operator and Geographic Targeting Distribution
The campaign was first detected in March 2025 and remained active through the second week of January 2026, representing approximately 10 months of sustained fraudulent operations, as detailed in Figure 3:
Figure 3. Malware samples found over the period of time
As of publication, portions of the infrastructure remain operational.
To maximise infection rates, the threat actors disguised their malware as popular social media platforms and gaming applications. The fake apps impersonated widely recognised brands, including Facebook Messenger, Instagram Threads, TikTok, Minecraft, GTA, and other trending games and utilities.
Inside the Attack: Three Malware Variants Dissected
The zLabs team identified three distinct malware variants in this campaign, each demonstrating different levels of sophistication in how they silently subscribe victims to premium services once the user has unwittingly downloaded the malicious app masquerading as a trusted brand.
Variant 1: Automated Subscription Engine
This variant represents the most sophisticated approach, combining multiple deception techniques to complete premium service subscriptions entirely without user knowledge.
It first checks which mobile carrier the victim is using by reading the device's SIM card information. It compares this against a hardcoded list of targeted operators across Malaysia, including DiGi, Celcom, Maxis, and U Mobile, as shown in Figure 4. If a match is found, the fraud workflow begins. If not, the app displays a harmless webview of the apkafa[.]com webpage to avoid suspicion.
Figure 4. Hardcoded comparison of the SIM operators
For DiGi subscribers, the malware employs a particularly clever social engineering tactic. When carrier billing requires an OTP for subscription confirmation, the malware displays a fake dialog box in Malay language that reads:
As seen in Figure 5, victims believe they're authenticating for a game account, when in reality they're authorizing a paid subscription.
Figure 5. Deceptive screen displaying and loading a hidden webview, requesting permission from the user on the next screen.
It also abuses Google's SMS Retriever API, a legitimate feature designed to help apps automatically read OTP messages for user convenience. While Google intended this for legitimate authentication workflows, the threat actors weaponised it to intercept carrier billing confirmation codes without the user's awareness.
Behind the scenes, the malware loads hidden web pages pointing to DiGi's official carrier billing portal. The malware then uses JavaScript commands to perform the following automated actions (Figure 6):
- Click the "Request TAC" (OTP) button
- Fill in the intercepted OTP code
- Click the final "Confirm" button
This entire process happens quickly, completing the premium subscription without any visible interaction.
Figure 6. Code snippet responsible for doing the auto click mechanism
To ensure the fraud succeeds, the malware programmatically disables the device's WiFi connection. This forces all traffic through the cellular network, which is required for carrier billing authentication to work properly.
For Maxis subscribers, the malware uses a simpler approach: it sends premium SMS messages to short codes like +33293 (keyword: "ON HITZ") or +32133 (keyword: "ON GAM1"), randomly selecting between two different premium services to avoid detection patterns.
A similar approach is followed for U Mobile users. The malware sends "ON A3" to shortcode 32128.
Variant 2: Multi-Stage Subscription Engine with Cookie Theft
This variant specifically targets Thai users through a sophisticated multi-stage attack combining SMS fraud with browser hijacking.
Once the malware identifies a targeted Thai operator, it immediately sends premium SMS messages to several short codes, subscribing victims to multiple services within seconds of granting permissions.
Rather than using fixed targets, the malware contacts the attackers' server to fetch updated subscription instructions, as shown in Figure 7. This remote control capability allows threat actors to change targets without updating the app, test new services, and avoid detection.
Figure 7. Server response with dynamic subscription targets
To evade carrier fraud detection, the malware doesn't send all messages at once. Instead, it schedules delayed messages at 60 seconds and 90 seconds after the initial burst. This timing makes the activity appear less automated and harder to detect.
While the SMS fraud occurs silently, the app must keep the victim distracted. In the foreground, the victim sees a legitimate-looking webpage (such as the APKafe portal interface, as shown in Figure 5). However, while the user interacts with this visible webpage, the malware secretly loads hidden WebViews in the background to access additional carrier billing portals.
Figure 8. Hidden pages loaded in background
For TrueMove H users, the malware employs an advanced cookie-stealing technique. It disables WiFi to force a cellular connection, then loads the carrier's billing page invisibly. As the hidden WebView loads these pages, the browser naturally stores session cookies. The malware then extracts these cookies using Android's CookieManager API and can use them to maintain authenticated sessions with the carrier's billing system.
Throughout this process, the malware captures the HTML source of every page loaded in the background and sends it to the attackers' server, as shown in Figure 9. This allows them to monitor which techniques work and improve their attacks over time.
Figure 9. HTML Content exfiltrated to the attackers C2
To maintain the illusion of legitimacy, the visible webpage automatically clicks on random links and scrolls through content, mimicking normal browsing behaviour while the fraud happens invisibly.
Variant 3: Real-Time Telegram Reporting
This variant combines the SMS fraud capabilities of previous variants with instant notification to attackers via Telegram, giving them real-time visibility into successful infections.
Every time the malware completes a significant action, such as installation, gaining permissions, or sending a premium SMS, it immediately sends a report to a private Telegram channel controlled by the threat actors. Each report contains the device identifier, timestamp, fake app name, distribution source, mobile operator, and the specific action that occurred. Figure 10 shows the data exfiltrated by the malware.
Figure 10. Victim device data sent via Telegram Bot API
The Telegram integration provides several advantages for the attackers: receiving instant notifications when new victims install the malware, allows tracking which distribution channels are most effective, and monitoring any technical errors in real-time.
The Criminal Infrastructure: Command, Control, and Cash-Out
The threat actors operate a distributed infrastructure of domains serving different functions in the fraud workflow. The primary command and control servers handle subscription automation, victim tracking, and data exfiltration.
The threat actors operate a distributed infrastructure of domains serving different functions in the fraud workflow. The primary command and control servers handle subscription automation, victim tracking, and data exfiltration.
Primary C2 Domains:
- apizep.mwmze[.]com - Hosts DiGi carrier billing subscription pages
- modobomz[.]com - Central referrer tracking and campaign analytics
- api.modobomco[.]com - Alternative command and control endpoint
- onesignalmdb.modobomz[.]com - Victim tracking and referrer validation hub, also returns the shortcode and keyword to be sent from the device
- onesignal.mwmze[.]com - Device metadata and carrier billing HTML source exfiltration
The DiGi-specific subscription URLs follow a consistent pattern, redirecting victims through the attacker's infrastructure before landing on legitimate carrier billing portals:
These intermediate URLs allow the attackers to log each subscription attempt before the final carrier confirmation.
Premium SMS Destinations
Across all variants, zLabs identified at least 12 distinct premium SMS short codes being exploited by the campaign. The table below shows a bunch of destinations and associated keywords used to trigger paid subscriptions:
|
Country |
Short Codes |
Keywords |
Operators |
|
Romania |
+1280 (×3), 4541545, +4541341, +4541753, +4541370, +4541587, +4541162, +4541352, +4541544 |
MOGA, DA, CYGA, OK, FUVI, BM, GET, CC, VGF, HIH, RTH |
Vodafone, Orange, Telekom |
|
Malaysia |
+33293, +32133, 32128' |
ON HITZ, ON GAM1, ON A3 |
Maxis, U Mobile |
|
Croatia |
866866 |
GYGO |
A1/VIP, Telemach, T-Mobile |
How They Track You: The Referrer System Exposed
One of the most revealing aspects of this operation is its sophisticated referrer-tracking system. Malicious sample embeds custom HTTP referrer headers that follow a strict naming convention:
Pattern: https://{FakeAppName}-{Country}-{Platform}-{OperatorCode}
This allows threat actors to precisely measure which distribution channels and fake app identities are most effective at generating successful infections.
Distribution by Platform:
|
Platform |
Sample Referrer Strings |
|
TikTok |
BlueLockBlazeBattle-Romania-Tiktok, FFBetaTesting-Thailand-Tiktok, REPO-Romania-Tiktok, WheelieChallenge-Romania-Tiktok, PojavLauncher-Romania-Tiktok |
|
|
FarmingSimulator25-Croatia-Facebook, UtoutoSuyasuya-Romania-Facebook, GTAV-Romania-Facebook, DeepSleep2-Thailand-Facebook |
|
|
BeamNGDrive-Romania-Google, CounterStrike2-Romania-Google, Minecraft-Romania-Google, Fortnite-Romania-Google |
This systematic approach indicates a well-organised operation with clear metrics tracking for campaign optimisation. Attackers can identify which social platforms and fake app personas yield the highest conversion rates.
Zimperium vs. The Billing Fraud Campaign
Zimperium’s Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) protect customers from the 250 malicious applications identified in this fraudulent operation through its advanced, on-device dynamic detection engine.
While traditional signature-based tools often struggle with the rapid iteration of samples seen between March 2025 and January 2026, Zimperium provides proactive defense against carrier billing fraud through its malware and fraud detection and web content filtering capabilities, effectively preventing malicious traffic.
By combining these detections, Zimperium ensures that these multi-stage subscription engines are blocked before they can send unauthorized premium SMS messages or extract sensitive session tokens.
MITRE ATT&CK Techniques
| Tactic | ID | Name | Description |
|---|---|---|---|
| Initial Access | T1476 | Deliver Malicious App via Other means | Malicious applications distributed through social media platforms (Facebook, TikTok) and search engines (google) masquerading as legitimate |
| Execution | T1603 | Scheduled Task/Job | Executes scheduled SMS fraud tasks at specific intervals |
| Defense Evasion | T1628.001 | Hide Artifacts: User Evasion | When non-targeted operators are detected, displays legitimate content (APKafe.com) to avoid suspicion and prevent uninstallation. Maintains benign appearance while conducting fraud. |
| Discovery | T1422 | System Network Configuration Discovery | Checks SUM operator codes (MCC-MNC) to identify mobile carrier and determine whether vicim should be targeted for fraud. |
| Discovery | T1426 | System Information Discovery | Collects device metadata including device ID, model, operating system version, IP address, and user agent for tracking and analytics. |
| Collection | T1412 | Capture SMS Messages | Uses Google SMS Retriever API automatically capture SMS messages containing OTP codes for carrier billing confirmation. |
| Collection | T1417 |
Input Capture | Captures HTML source code from loaded webpages and carrier billing portals, exfiltrating to C2 servers for attack optimization. |
| Command and Control | T1437.001 | Application Layer Protocol: Web Protocols | Communicates with C2 servers via HTTPS to fetch dynamic subscription targets, report successful infections, and receive configuration updates. |
| Exfiltration | T1646 | Exfiltration Over C2 Channel | Exfiltrates device metadata, HTML source code, subscription status, and tracking data. |
| Impact | T1643 | Carrier Billing Fraud | Subscribes victims to premium SMS services without consent through automated WebView manipulation, JavaScript injection, OTP interception, and direct SMS sending. |
| Impact | T1582 | SMS Control | Sends unauthorized premium SMS messages to short codes, programmatically disables WiFi to force cellular connectivity, and schedules delayed SMS for multi-stage fraud. |
Indicators of Compromise
The Lists for the IOCs can be found in the following Github repository.
