Android Malware Spotted Subscribing Victims to Paid Services Without Consent
Android Malware Spotted Subscribing Victims to Paid Services Without Consent
https://hackread.com/android-malware-subscribe-services-without-consent/
Publish Date: 2026-05-21 07:41:00
Source Domain: hackread.com
A global mobile billing fraud campaign has been targeting Android users by silently subscribing them to expensive premium text services. Zimperium zLabs, which reported this campaign, has identified around 250 malicious applications involved in this operation.
These apps are designed for carrier billing fraud through premium SMS abuse. It has been active for nearly ten months, with the first detection in March 2025 and the most recent one in the second week of January 2026.
Precise Operator Validation and Brand Lures
One of the campaign’s more notable features was its operator-level targeting. Researchers found that the malware specifically focused on mobile carriers across four countries:
- Thailand (including TrueMove H)
- Croatia (A1/VIP, Telemach, T-Mobile)
- Romania (Vodafone, Orange, Telekom)
- Malaysia (DiGi, Celcom, Maxis, U Mobile)
Before launching the fraud workflow, the malicious apps checked the infected device’s SIM card to verify the user’s mobile network operator. This allowed the malware to activate only on targeted carrier networks while avoiding unnecessary exposure on unsupported devices
To achieve initial access, the attackers relied on a multi-platform distribution strategy built around social engineering lures. They created fake applications impersonating widely recognized brands, including Facebook Messenger, Instagram Threads, TikTok, Minecraft, and Grand Theft Auto (GTA).
If the malware was installed on a non-targeted network, a fallback mechanism displayed a benign webview of apkafa.com to reduce suspicion and evade detection.
Brands Impersonated by Malicious Apps (Source: Zimperium)
Automated Workflows and Security Bypasses
When a matched operator was found, the malware initiated automated workflows to force premium subscriptions. The software programmatically disabled Wi-Fi to force data traffic through cellular paths required for billing authentication.
For DiGi users, it loaded…
