In a landscape where cyber threats are ever-evolving, a new breed of malware has emerged, posing a significant risk to unsuspecting smartphone users. This latest scam, as reported by BGR, operates with a level of sophistication that sets it apart from traditional malicious applications that typically aim to steal credit card information or install harmful viruses. Instead, this cunning malware quietly inflates phone bills and siphons off money through carrier subscriptions.
Fake popular apps steal money through subscriptions
Discovered by the cybersecurity firm Zimperium, this large-scale operation has deployed nearly 250 counterfeit Android applications masquerading as well-known software, including TikTok, Minecraft, Grand Theft Auto, Instagram Threads, and Facebook Messenger. Once users are deceived into downloading these fraudulent apps, the malware begins its stealthy work, leveraging automated subscription engines to enroll victims in fictitious premium services without their consent.
How the scam actually works
The mechanics of this scam are both intricate and alarming. Utilizing advanced hacking techniques, the malware employs JavaScript injection, one-time password interception, and WebView automation to perform a series of covert operations. These actions allow it to read the SIM card, identify the carrier, evade detection, and seamlessly sign users up for unauthorized payments.
The attack unfolds in three distinct phases:
- The initial phase engages an “automated subscription engine” to enroll victims in premium services unbeknownst to them.
- The second phase, which is the most sophisticated, accesses the device’s SIM card to verify the carrier, ensuring that the scam targets the most vulnerable users.
- The final phase masks the operation; if the carrier does not support premium subscriptions, the scam presents an innocuous webpage. Conversely, if it does, users are led to a cleverly designed social engineering page that tricks them into believing they are confirming a gaming account.
While the scam has been identified primarily in Romania, Malaysia, Thailand, and Croatia, it is notable that Malaysia accounts for a staggering 85% of all victims, with the hackers specifically targeting a local carrier, DiGi. Users in Thailand and Romania have faced approximately 15% of the attacks, while only 1% of Android users in Croatia have been affected.
These 200+ apps are not on the Play Store, according to Google
In a reassuring note, Google has confirmed that none of these deceptive applications are available on the Play Store. The company stated, “Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.” However, Zimperium emphasizes that this incident highlights a more significant security issue, underscoring the need for enhanced protective measures against such vulnerabilities.
The scam remains active to this day
Despite the peak of scam activity occurring in September 2025, Zimperium warns that parts of the infrastructure remain operational. The last recorded activity was noted in January 2026, indicating that this potential threat could resurface at any moment. As always, users are advised to adhere to best practices in online security: avoid suspicious websites, refrain from downloading applications from unofficial sources, and scrutinize any pop-up pages requesting sensitive information. Staying vigilant is key to safeguarding personal data in this digital age.
