Android 'Premium Deception' billing scam

Zimperium’s zLabs said on May 20 that it had identified a 10-month Android fraud campaign that used nearly 250 fake apps to enroll victims in premium mobile-billing services. The company said the operation, which it named “Premium Deception,” targeted users through apps that appeared legitimate while automating the subscription flow in the background. The campaign ran from March 2025 through the second week of January 2026, according to Zimperium’s report. (zimperium.com) Malaysia, Thailand, Romania and Croatia were the four markets named in the research. The report describes a scam built around carrier billing, a payment method that adds charges directly to a user’s phone bill rather than routing them through a card or app-store checkout. Zimperium said the apps used WebView-based automation, JavaScript injection and one-time-password interception to complete the sign-up flow and reduce the amount of user interaction needed. Dark Reading, citing the same research, said the tooling helped the apps evade detection while finalizing fraudulent subscriptions. ### How did the fake apps actually turn into charges? (zimperium.com) Zimperium said the malicious apps presented themselves as ordinary utilities or services, then opened carrier payment pages inside embedded web views. The company said the malware automated taps and page interactions, injected code into the billing flow and intercepted OTP messages needed to confirm some transactions. Carrier billing scams work because the charge can look like a telecom fee rather than a conventional card payment. In this case, Zimperium said the campaign hardcoded operator targeting for specific carriers in Malaysia, Thailand, Romania and Croatia, indicating the fraud was tailored to local billing systems rather than sprayed broadly at random markets. (zimperium.com) ### Why are Malaysia, Thailand, Romania and Croatia the only countries named? Zimperium’s report names those four countries as the places where the apps contained hardcoded operator targeting. (zimperium.com) The company said that design choice showed the operators behind the campaign were building country-specific subscription flows around known mobile-billing providers and carrier pages. Infosecurity Magazine, summarizing the findings on May 20, also identified the same four countries and said the campaign used nearly 250 apps to sign people up to paid services through their phone bills. (zimperium.com) That account matches the core timeline and geography in Zimperium’s write-up. ### What made this campaign notable to researchers? The number in Zimperium’s report was nearly 250 malicious apps. That scale, combined with activity lasting roughly 10 months, suggests the operators rotated app lures and infrastructure rather than relying on a single package name or storefront listing. (zimperium.com) Zimperium said the campaign remained active from March 2025 until the second week of January 2026. Dark Reading said the campaign’s use of WebView automation, JavaScript injection and OTP interception stood out because those techniques helped the malware complete the premium-subscription process with less visible friction for the victim. (infosecurity-magazine.com) ### What should Android users and security teams check now? Phone-bill charges are the first place to look. Because the fraud route was carrier billing, victims may not see a disputed card transaction; they may instead find recurring premium-service fees on their mobile statement, according to Zimperium’s description of the scheme. (zimperium.com) Zimperium published the research on May 20 on its zLabs blog, and follow-on coverage from Infosecurity Magazine and Dark Reading appeared the same week. Security teams looking for the next step would start with Zimperium’s report and any indicators or app lists the company releases alongside it. (darkreading.com) (zimperium.com)