Sophisticated Android Malware Campaign Weaponizes Carrier Billing for Large-Scale Fraud
A highly coordinated malware campaign is currently targeting Android users, executing a stealthy operation designed to enroll victims in unauthorized premium mobile services. This campaign specifically leverages carrier billing fraud, abusing premium SMS protocols to siphon funds directly from users’ mobile accounts.
What distinguishes this threat from common adware is its surgical precision. The malware employs a sophisticated filtering mechanism: it checks the victim’s SIM card against a hardcoded list of targeted mobile operators. If a match is found, the malware initiates fraudulent subscription workflows; if the operator is not on the list, the app behaves benignly, loading harmless content to evade detection by security researchers and automated sandboxes.
To facilitate mass infection, attackers have utilized social engineering by disguising malicious payloads as high-traffic applications. Users are lured into installing fake versions of popular platforms, including TikTok, Instagram, and Facebook, as well as trending games like Minecraft and Grand Theft Auto.
Technical analysis conducted by zLabs has identified several advanced exploitation techniques used to automate this fraud:
- SIM-Based Precision Targeting: Uses hardcoded operator lists to ensure only high-value victims are targeted.
- WebView Manipulation: Employs JavaScript injection within WebViews to automate the interaction with carrier billing landing pages.
- OTP Interception: Abuses the legitimate Google SMS Retriever API to intercept One-Time Passwords (OTPs) without user intervention.
- Network Manipulation: Forces the disabling of Wi-Fi to mandate that billing transactions occur over cellular data, ensuring the carrier billing logic is triggered.
- Telegram C2 Exfiltration: Utilizes Telegram bot APIs to exfiltrate sensitive device metadata and real-time fraud logs.
The campaign encompasses nearly 250 unique malicious applications and has been active across Malaysia, Thailand, Romania, and Croatia since March 2025.

Evolution of the Malware Variants
Researchers have categorized the campaign into three distinct evolutionary stages, each increasing in technical complexity:
Variant 1: The Automated Engine. This version functions as a fully autonomous subscription bot. Once the carrier is verified, it loads hidden billing pages. Through injected JavaScript, it performs “click-jacking” actions—automatically clicking buttons, requesting OTPs, and submitting them to finalize subscriptions. These actions are often masked behind fake “game verification” prompts to deceive the user.
Version 2: The Multi-Stage Persistent Threat. Specifically targeting users in Thailand, this variant introduces staggered SMS delivery to avoid triggering carrier fraud detection algorithms. Furthermore, it utilizes the Android CookieManager to steal session cookies, allowing attackers to hijack authenticated web sessions and increase the success rate of fraudulent transactions.

Variant 3: The Real-Time Monitor. The most advanced iteration integrates real-time telemetry via Telegram. Every event—including new infections, permission grants, or successful SMS transactions—is instantly reported to attacker-controlled channels, providing them with live device metadata and timestamps.
Infrastructure and Command & Control (C2)
The campaign relies on a distributed C2 infrastructure to manage its operations. Identified malicious domains include:
apizep.mwmze[.]commodobomz[.]comapi.modobomco[.]com
These servers facilitate subscription automation and victim tracking. Interestingly, the attackers employ a sophisticated referrer tracking system. Each infection carries a unique identifier detailing the fake app name, country, platform, and carrier. This telemetry allows the attackers to perform A/B testing on their distribution channels (e.g., determining if TikTok or Facebook yields a higher conversion rate), enabling continuous optimization of their social engineering tactics.

Mitigation and Defense
Zimperium notes that its Mobile Threat Defense (MTD) solutions utilize on-device behavioral analysis to detect these threats. Unlike traditional signature-based antivirus, behavioral analysis can identify the suspicious pattern of unauthorized SMS activity and API abuse even when the malware evolves.
Recommendations for Users:
- Only download applications from official stores like the Google Play Store.
- Audit app permissions regularly; be wary of apps requesting SMS or accessibility permissions.
- Closely monitor mobile carrier statements for unexpected “Premium Service” charges.
Recommendations for Organizations:
Deploy advanced mobile threat defense solutions capable of real-time behavioral detection to protect corporate assets from sophisticated fraud and data exfiltration campaigns.