Extensive Malware Campaign Exploits Android Users in Multiple Countries
A prolonged and sophisticated malware campaign over the last ten months has targeted Android users through nearly 250 deceptive applications. The intent behind this operation is clear: to trick victims into signing up for premium services that result in unexpectedly high charges on their mobile bills. The campaign has specifically targeted users in Malaysia, Thailand, Romania, and Croatia, indicating a focused approach to exploiting vulnerable populations.
According to a recent analysis conducted by Zimperium’s zLabs research team, this operation, dubbed “Premium Deception” by the mobile security firm, unfolded from March 2025 to mid-January 2026. As of the latest updates, significant parts of the malware infrastructure remain active and operational, which raises concerns about potential ongoing threats to users worldwide.
The malware is particularly insidious as it masquerades as applications from widely recognized brands, including popular platforms such as Facebook Messenger, Instagram Threads, TikTok, Minecraft, and Grand Theft Auto. By imitating familiar and trusted applications, the campaign successfully lowers the guard of potential victims, increasing the probability of installation and, ultimately, exploitation.
Three Variants with Escalating Complexity
The zLabs study identified three distinct variants of the malware, each exhibiting a growing level of sophistication. The most advanced variant specifically targeted Malaysian DiGi subscribers. This malware operates with remarkable autonomy, automating the entire subscription process. It begins by reading the device’s SIM operator code, comparing it against a hardcoded list to confirm compliance with its criteria.
Once it verifies the target, the malware takes an aggressive approach: it disables Wi-Fi connectivity to channel the internet traffic through the cellular network. Subsequently, it loads DiGi’s official billing portal within a hidden WebView. At this point, it deploys JavaScript scripts to interact with the webpage, triggering actions such as clicking the "Request TAC" button, inputting the intercepted one-time password (OTP), and finalizing the subscription.
What is particularly alarming is the technique employed to harvest the OTP. The malware exploits Google’s SMS Retriever API, a legitimate Android feature aimed at streamlining the process of reading confirmation codes without user input, which adds a layer of subterfuge to this nefarious operation.
In Thailand, a different variant was identified employing a multi-stage attack strategy. By dynamically fetching subscription targets from a command-and-control (C2) server, this variant orchestrated a series of timed SMS messages, with intervals of 60 and 90 seconds, designed to evade automated fraud detection systems. Additionally, it harvested session cookies from hidden carrier billing pages, enhancing its capability to manipulate the target’s billing details without detection.
The third variant introduced real-time reporting via a Telegram bot, alerting the attackers whenever a device was compromised, permissions were granted, or a premium SMS was dispatched. This level of reporting demonstrates an organized and systematic approach to the malware’s operational mechanics, allowing attackers to continuously refine their strategies in response to emerging threats or changes in user behavior.
Evidence of an Organized Operation
The extensive infrastructure utilized in this campaign suggests it is not merely the work of rogue operators but rather a well-coordinated commercial entity. Each malicious application analyzed contained an HTTP referrer header formatted as {FakeAppName}-{Country}-{Platform}-{OperatorCode}. This coding scheme enables attackers to monitor which fake personas and distribution channels—be it TikTok, Facebook, or Google—yield the most successful installations.
In instances where the malware is deployed on devices with SIM operators outside the targeted list, it employs advanced evasion tactics. The malware will quietly display a benign webpage—specifically apkafa.com—to avoid raising suspicions from the device owner while maintaining its foothold on the device.
Zimperium’s investigation has revealed that at least 12 premium SMS short codes were illegally leveraged across the targeted countries, along with a broader command-and-control infrastructure linked to domains such as modobomz[.]com and mwmze[.]com.
Safeguarding Against Threats
In light of these findings, users are strongly advised to take proactive measures in safeguarding their devices against such threats. Crucially, it is recommended that individuals avoid sideloading applications from third-party sources. Regular audits of installed applications against trusted brand names, along with thorough reviews of recent mobile bills for any unexplained subscription charges, can play pivotal roles in detecting unauthorized activities.
The implications of this malware campaign underscore the critical need for awareness and vigilance among Android users, particularly in regions identified as prime targets. As the digital landscape continues to evolve, so too do the tactics employed by cybercriminals, necessitating continuous education and adaptation to mitigate vulnerabilities effectively.