Over 200 Fake Android Apps Are Quietly Stealing Money From Phone Bills

A new malware scam is silently executing billing fraud, targeting users based on their phone carriers and locations. Uncovered by cybersecurity group Zimperium, the campaign used nearly 250 Android applications to impersonate popular games and social media sites, including TikTok, Minecraft, Grand Theft Auto, Instagram Threads, and Facebook Messenger. Once downloaded, they charged unsuspecting users premium fees, enlisting them in automated subscription engines.

The scheme utilized advanced techniques like JavaScript injection, one-time password interception, and WebView automation to evade notice, automate subscriptions, track scams, and exfiltrate data. Deployed in Malaysia, Romania, Thailand, and Croatia, the malware read victims' SIM cards and activated only for specific carriers. Zimperium first detected the scam in March 2025, tracking it until at least January 2026. Concerned users can consult Zimperium's GitHub repository for indicators of compromise. It remains unclear how infected apps found their victims.

However, Google is adamant that none of the 250 of them are available on its app store, according to Dark Reading. A Google spokesperson went on to say, "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services." Despite these claims, however, experts argue that the attack is indicative of wide-reaching marketplace security challenges. In one attack last year, cyberhackers turned 150 Google Chrome extensions into viruses, infecting over 4.3 million browsers. And while Android users can take steps to protect their security, attacks like those discovered by Zimperium necessitate a wholesale review of the application security framework.

Hackers used three malware variants to attack users. The first deployed an "automated subscription engine" to enlist victims in premium subscriptions without their knowledge. The most sophisticated of the three, the downloaded malware reads the device's SIM card in order to attack hardcoded operators, such as Malaysia's DiGi. To avoid detection, the apps showed harmless webpages if the victim was not part of specified carrier networks. If victims were part of a hardcoded billing network, however, the malware deployed a "clever social engineering tactic" to trick users into believing they were authenticating a gaming account.

The app then abused Google's SMS retriever API to intercept passwords before deploying JavaScript commands to hidden web pages to subscribe to premium content via the carrier's billing portal. A second variant targeted users in Thailand through premium SMS messages that subscribed them to premium services. Using a multi-stage system to avoid detection, the malware was identified by Zimperium as showing users seemingly legitimate webpages while "the malware secretly loads hidden WebViews in the background to access additional carrier billing portals."

According to Zimperium, attackers deploying this malware variant also utilized an "advanced cookie-stealing technique" to "maintain authenticated sessions with the carrier's billing system." A third version of the scheme "combines the SMS fraud capabilities of previous variants with instant notification to attackers via Telegram, giving them real-time visibility into successful infections." The integration of a Telegram channel underscores the sophistication of the attacks, allowing scammers to track success metrics and optimize operations.

The scheme was highly specific in its target choices. Over half of the scammers' victims were using Malaysian SIM cards. Users in Thailand and Romania each constituted roughly 15% of the scam's attacks, while Croatia saw 1% of the operation's activities. Within these four jurisdictions, at least 10 carriers were targeted by the malware scheme. In order of their prevalence, the list includes DiGi, Marxis, Celcom, U Mobile, Telekom, AIS, Orange, Vodafone, TrueMove H, and dtac TriNet. Although initially detected in March 2025, the campaign's activities peaked in September 2025. Unfortunately, despite the campaign last being active in January, Zimperium's report stresses that "portions of the infrastructure remain operational."

These attacks can be indicative of broad failures in the cybersecurity space. The manipulation of legitimate app features like Google's SMS Retriever and Android's CookieManager API underscores common security gaps. AI research engineer Vineeta Sangaraju told Dark Reading that "these are not obscure attack surfaces, they are documented, widely used platform features, and the controls governing their use have not kept pace with their abuse potential." The campaign also reflects the difficulty of policing app downloads, particularly when users use third-party marketplaces.

However, infected apps and browser extensions still permeate legitimate stores. In April 2026, for instance, cybersecurity researchers at Socket found over 100 Google Chrome extensions that exfiltrated user browsing data. While users must be vigilant when downloading new programs, the persistence of these issues suggests that companies need to reimagine their approach to marketplace security.