Android Malware Campaign Used Hundreds of Fake Apps to Silently Charge Users

The Premium Deception campaign illustrates a new level of automation in mobile fraud, leveraging nearly 250 counterfeit applications that masquerade as trusted services such as TikTok, Instagram Threads, and Minecraft. By embedding a hard‑coded list of carrier operator codes, the malware identifies victims in four countries and deliberately disables Wi‑Fi to route traffic through the cellular network, ensuring that premium‑SMS charges are billed directly to the subscriber’s phone bill. This approach not only maximizes revenue for the attackers but also makes detection harder, as the fraudulent activity blends with legitimate carrier billing processes.

Technical analysis reveals three distinct variants, each adding layers of sophistication. The most advanced version reads the SIM operator, loads the carrier’s billing portal in a hidden WebView, and programmatically clicks the subscription button, using JavaScript to inject the one‑time password harvested via Google’s SMS Retriever API. A second variant pulls dynamic subscription targets from a C2 server and staggers SMS requests to evade automated fraud filters, while the third adds real‑time reporting through a Telegram bot, alerting attackers whenever a device is compromised or a premium SMS is dispatched. These tactics map to multiple MITRE ATT&CK techniques, including T1628.001 for evasion and credential‑access methods that exploit legitimate OS features.

For enterprises and telecom operators, the campaign signals a pressing need to reinforce mobile security controls. Users should avoid sideloading apps from unverified sources and regularly audit installed applications against known brand names. Carriers must enhance real‑time monitoring of premium‑SMS traffic, implement stricter OTP validation, and consider multi‑factor verification for subscription requests. As attackers continue to refine automated subscription fraud, a collaborative effort between device manufacturers, app stores, and telecom providers will be essential to safeguard consumers from hidden charges and preserve trust in mobile ecosystems.