Android Malware Campaign Used Hundreds of Fake Apps to Silently Charge Users

A 10-month Android malware campaign called "Premium Deception" used almost 250 counterfeit apps impersonating popular brands to fraudulently subscribe users to premium SMS services in Malaysia, Thailand, Romania and Croatia. Researchers identified three variants that progressively automated subscription workflows, disabled Wi‑Fi to force carrier billing, harvested OTPs via the SMS Retriever API, exfiltrated session cookies and device status to C2/Telegram, and embedded tracking referrers and abused multiple premium short codes and domains; portions of the infrastructure remained online at publication.