A new wave of Android malware campaign is secretly signing users up for premium subscriptions – and charging it directly to their phone bills.
According to security researchers, around 250 malicious Android apps have been part of a global fraud campaign running for nearly a year.
Instead of obvious pop-ups or alerts, these apps quietly subscribe users to premium SMS services. The kind that charges small amounts repeatedly through a target’s mobile carrier.
No warnings or noticeable confirmation. Extra charges just show up later.
These apps look completely normal
Instead of using shady-looking apps, the attackers copied familiar ones. The apps are disguised as popular brands people already trust, including Facebook Messenger, Instagram Threads, TikTok, Grand Theft Auto, and Minecraft.
So from the outside, everything looks normal and an unsuspecting person can download it thinking it’s legit.
Even after installing one of such apps, it can take a while to be detected, as it only activates when it knows it can charge you. That is one of the more calculated parts of this attack. The malware checks your SIM card first. If your mobile network matches specific carriers, it activates. If not, it shows something harmless so it doesn’t get flagged.
How it actually drains money
Once active, the malware runs everything in the background. It can turn off your Wi-Fi to force mobile data usage, open hidden web pages, and click subscription buttons automatically. It can also intercept verification codes and confirm subscriptions without you seeing anything.
Even one-time passwords (OTPs) get captured automatically using built-in Android features. So from the system’s perspective, everything looks legit. You “confirmed” the subscription. Except you didn’t.
This is a full operation
Researchers say this campaign has been running for 10 months, with structured systems behind it. There are multiple malware variants doing different things. One fully automates subscriptions,another delays actions to avoid detection, and another sends stolen data back instantly via Telegram.
There is even a tracking system that lets attackers measure which fake apps and regions are working best. The whole thing is optimized.
And it all works so well since it uses systems that already exist, from carrier billing and SMS verification to in-app permissions and in-app web views.
To avoid falling victim to this kind of attack, pause before hitting “allow” whenever an app on your phone asks for access it does not really need, especially if it’s anything tied to messages or verification. Make that mistake and the damage can show up on your bill before you know it.
Source: Hack Read