Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign

zLabs discovered a coordinated Android malware campaign (≈250 malicious apps) performing large-scale carrier billing fraud in Malaysia, Thailand, Romania, and Croatia by targeting specific mobile operators; the malware automates premium subscriptions via hidden WebViews and JavaScript injection, intercepts OTPs using the Google SMS Retriever API, steals session cookies, disables WiFi to force cellular billing, and exfiltrates device and HTML data (including via Telegram), with active C2 infrastructure and identified short codes and domains.