Android Malware Spotted Subscribing Victims to Paid Services Without Consent

**Executive Summary:** A sustained Android malware campaign (first seen March 2025; active through January 2026) deployed ~250 fake apps impersonating popular brands to perform carrier billing fraud across Thailand, Croatia, Romania, and Malaysia by disabling Wi‑Fi, automating hidden WebView subscription workflows, abusing Google’s SMS Retriever API to capture OTPs/TACs, sending premium SMS to short codes, and exfiltrating data to C2 domains (apizep.mwmze.com, modobomz.com) and Telegram.