A 10-month Android malware campaign has used nearly 250 fake apps to sign victims up to premium services on their mobile bills, with hardcoded operator targeting for users in Malaysia, Thailand, Romania and Croatia.
According to new analysis from Zimperium’s zLabs research team, the operation, dubbed Premium Deception by the mobile security company, ran from March 2025 to mid-January 2026. Portions of the infrastructure remain online at the time of publication.
The fake apps impersonate widely recognized brands, including Facebook Messenger, Instagram Threads, TikTok, Minecraft and Grand Theft Auto.
Three Variants, One Goal
zLabs identified three malware variants of escalating sophistication. The most advanced, deployed against Malaysian DiGi subscribers, automated the entire subscription workflow end to end.
After reading the device’s SIM operator code and matching it against a hardcoded list, the malware disables Wi-Fi to force traffic onto the cellular network, loads DiGi’s official billing portal in a hidden WebView and runs JavaScript to click the “Request TAC” button, fill in the intercepted one-time password (OTP) and confirm the subscription.
The OTP is then harvested through abuse of Google’s SMS Retriever API, a legitimate Android feature designed to read confirmation codes automatically without prompting the user.
Read more on Android malware campaigns: Malware Campaign Masquerades as Dating Apps to Steal Data
A second variant targeted Thai users with a multi-stage attack that fetched dynamic subscription targets from a command-and-control (C2) server, scheduled delayed SMS at 60 and 90-second intervals to defeat automated fraud detection and harvested session cookies from hidden carrier billing pages.
A third variant added real-time Telegram reporting, with the bot pinging attackers whenever a device was infected, permissions were granted or a premium SMS is sent.
Built For Optimization
The campaign infrastructure points to a well-organized commercial operation. Each malicious sample embeds an HTTP referrer header in the format {FakeAppName}-{Country}-{Platform}-{OperatorCode}, allowing attackers to measure which fake personas and distribution channels (TikTok, Facebook, Google) drive the most successful infections.
When deployed on a device whose SIM operator falls outside the target list, the malware silently displays a benign webview of apkafa.com to avoid suspicion and maintain persistence, an evasion pattern Zimperium maps to MITRE ATT&CK technique T1628.001.
zLabs identified at least 12 premium SMS short codes being abused across the four targeted countries, alongside C2 infrastructure spanning the modobomz[.]com and mwmze[.]com domains.
To defend against this and similar threats, users should avoid sideloading Android apps from third-party stores, audit installed apps against trusted brand names and review recent mobile bills for unexplained subscription charges.
