CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Large-scale Android carrier-billing fraud campaign leveraging fake apps and hidden WebView automation

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A 10-month Android malware campaign used nearly 250 counterfeit apps to enroll victims in premium services via carrier billing, targeting users in Malaysia, Thailand, Romania and Croatia. The operation, codenamed Premium Deception by Zimperium zLabs, ran from March 2025 to mid-January 2026 and maintained portions of its infrastructure online at the time of disclosure. Malware variants automated end-to-end subscription enrollment by exploiting legitimate Android APIs, hidden WebViews and operator-specific billing portals to bypass user interaction and detection.

Timeline

  1. 20.05.2026 18:30 1 articles · 3h ago

    Premium Deception campaign uncovered: end-to-end carrier-billing fraud using hidden WebView automation across four countries

    Researchers identified a 10-month Android carrier-billing fraud campaign using ~250 fake apps to enroll victims in premium services via mobile billing. The operation automated subscription workflows by disabling Wi-Fi, loading operator portals in hidden WebViews, executing JavaScript to click billing buttons and harvesting OTPs via Google’s SMS Retriever API. Three malware variants were deployed: a fully automated variant in Malaysia; a dynamic, C2-controlled variant in Thailand with delayed SMS scheduling and cookie harvesting; and a Telegram-reporting variant that relayed real-time infection and event data. Infrastructure analysis links the campaign to a commercial operation with referrer-tagged payloads, fallback benign webviews for non-target SIMs and C2 domains modobomz[.]com and mwmze[.]com.

    Show sources
    Open in new tab

Information Snippets