New Android malware secretly drains cash from phone bills
New Android malware secretly drains cash from phone bills
https://geekspin.co/new-android-malware-secretly-drains-cash-from-phone-bills/
Publish Date: 2026-05-23 09:01:00
Source Domain: geekspin.co
A new wave of Android malware campaign is secretly signing users up for premium subscriptions – and charging it directly to their phone bills.
According to security researchers, around 250 malicious Android apps have been part of a global fraud campaign running for nearly a year.
Instead of obvious pop-ups or alerts, these apps quietly subscribe users to premium SMS services. The kind that charges small amounts repeatedly through a target’s mobile carrier.
No warnings or noticeable confirmation. Extra charges just show up later.
These apps look completely normal
Instead of using shady-looking apps, the attackers copied familiar ones. The apps are disguised as popular brands people already trust, including Facebook Messenger, Instagram Threads, TikTok, Grand Theft Auto, and Minecraft.
So from the outside, everything looks normal and an unsuspecting person can download it thinking it’s legit.
Even after installing one of such apps, it can take a while to be detected, as it only activates when it knows it can charge you. That is one of the more calculated parts of this attack. The malware checks your SIM card first. If your mobile network matches specific carriers, it activates. If not, it shows something harmless so it doesn’t get flagged.
How it actually drains money
Once active, the malware runs everything in the background. It can turn off your Wi-Fi to force mobile data usage, open hidden web pages, and click subscription buttons automatically. It can also intercept verification codes and confirm subscriptions without you seeing anything.
Even one-time passwords (OTPs) get captured automatically using built-in Android features. So from the system’s perspective, everything looks legit. You “confirmed” the subscription. Except you didn’t.
This is a full operation
Researchers say this campaign has been running for 10 months, with structured systems behind it. There are multiple malware variants doing different things. One fully automates…
