Zimperium has uncovered a sophisticated malware campaign that exploited nearly 250 Android applications, masquerading as popular games and social media platforms such as TikTok, Minecraft, Grand Theft Auto, Instagram Threads, and Facebook Messenger. Once these applications were downloaded, they ensnared unsuspecting users into premium subscription services, often without their consent, by leveraging automated subscription engines.
The malware employed a range of advanced techniques, including JavaScript injection, interception of one-time passwords, and WebView automation, to evade detection while automating subscriptions, tracking scams, and exfiltrating sensitive data. This malicious activity was primarily deployed in Malaysia, Romania, Thailand, and Croatia, where the malware was capable of reading victims’ SIM cards and activating itself only for specific mobile carriers. Zimperium first identified the scam in March 2025 and continued monitoring it until at least January 2026. Users concerned about their security can refer to Zimperium’s GitHub repository for indicators of compromise. However, the exact methods by which these infected applications reached their targets remain unclear.
Despite the extensive nature of this campaign, Google has asserted that none of the 250 compromised applications were available on its app store. A spokesperson for Google emphasized that “Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.” Nonetheless, cybersecurity experts caution that this incident highlights significant vulnerabilities within the marketplace security framework. In a related incident last year, cybercriminals transformed 150 Google Chrome extensions into malicious software, affecting over 4.3 million browsers. While Android users can take proactive measures to safeguard their devices, the attacks identified by Zimperium underscore the urgent need for a comprehensive reassessment of application security protocols.
Three malware variants, one result
The hackers deployed three distinct malware variants to execute their scheme. The first variant utilized an “automated subscription engine” to enroll victims in premium subscriptions without their awareness. The most advanced of the three variants was capable of reading the device’s SIM card to target hardcoded operators, such as Malaysia’s DiGi. To avoid detection, these applications displayed innocuous webpages to users not connected to specified carrier networks. However, for those on targeted billing networks, the malware employed a clever social engineering tactic, misleading users into believing they were merely authenticating a gaming account.
Once the deception was successful, the app exploited Google’s SMS retriever API to intercept passwords and subsequently executed JavaScript commands on hidden web pages to subscribe users to premium content through the carrier’s billing portal. The second variant specifically targeted users in Thailand, utilizing premium SMS messages to subscribe them to costly services. This variant also employed a multi-stage system designed to remain undetected, presenting users with seemingly legitimate webpages while secretly loading hidden WebViews in the background to access additional carrier billing portals.
According to Zimperium, the attackers behind this variant also implemented an “advanced cookie-stealing technique” to maintain authenticated sessions with the carrier’s billing system. The third version of the malware combined the SMS fraud capabilities of its predecessors with real-time notifications to attackers via Telegram, providing them with immediate visibility into successful infections. This integration highlights the sophistication of the attacks, enabling scammers to monitor their success metrics and refine their operations.
A targeted scheme with wide-ranging implications
The malware campaign exhibited a highly targeted approach, with over half of the victims identified as users of Malaysian SIM cards. Users in Thailand and Romania accounted for approximately 15% of the attacks, while Croatia represented about 1% of the operation’s activities. Within these four countries, the malware targeted at least ten different carriers, including DiGi, Marxis, Celcom, U Mobile, Telekom, AIS, Orange, Vodafone, TrueMove H, and dtac TriNet. Although the campaign was first detected in March 2025, its activities peaked in September 2025. Alarmingly, despite the campaign’s last known activity in January, Zimperium’s report indicates that “portions of the infrastructure remain operational.”
These attacks serve as a stark reminder of the broader challenges facing the cybersecurity landscape. The manipulation of legitimate app features, such as Google’s SMS Retriever and Android’s CookieManager API, reveals significant security gaps that need to be addressed. AI research engineer Vineeta Sangaraju remarked that “these are not obscure attack surfaces; they are documented, widely used platform features, and the controls governing their use have not kept pace with their abuse potential.” The campaign also illustrates the difficulties inherent in policing app downloads, especially when users resort to third-party marketplaces.
Despite the presence of infected applications and browser extensions in legitimate stores, the persistence of these issues calls for a reimagining of marketplace security strategies. In April 2026, for example, cybersecurity researchers at Socket discovered over 100 Google Chrome extensions that exfiltrated user browsing data. While users must remain vigilant when downloading new applications, the ongoing nature of these threats emphasizes the need for companies to enhance their security frameworks significantly.
