INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Android Malware Campaign Targets Users with Fake Apps
| 2026-05-20 15:30 LOW LOWExecutive Summary AI-generated
A sophisticated Android malware campaign has been uncovered, using nearly 250 fake apps to sign victims up to premium services on their mobile bills. The campaign, dubbed Premium Deception by Zimperium's zLabs research team, targeted users in Malaysia, Thailand, Romania and Croatia, with hardcoded operator targeting for specific regions. The fake apps impersonate widely recognized brands such as Facebook Messenger, Instagram Threads, TikTok, Minecraft and Grand Theft Auto. A well-organized commercial operation was also detected, pointing to a large-scale infrastructure spanning multiple domains including modobomz[.]com and mwmze[.]com. This campaign highlights the importance of vigilance in mobile security and the need for users to be cautious when sideloading Android apps from third-party stores.
Technical Mitigations AI-generated
• Avoid sideloading Android apps from third-party stores.
• Audit installed apps against trusted brand names.
• Review recent mobile bills for unexplained subscription charges.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign Used HundredsCampaign Used Hundreds
Target & Sectors
ASEAN
ASEAN
Incident Timeline
March 2025
Zimperium's zLabs research team analyzed an Android malware campaign that ran from March 2025 to mid-January 2026.
Click on any entity below to view its context and source!
organisation
Zimperium's
According to
new analysis
from Zimperium's zLabs research team, the operation, dubbed Premium Deception by the mobile security company, ran from March 2025 to mid-January 2026.
organisation
Premium Deception
According to
new analysis
from Zimperium's zLabs research team, the operation, dubbed Premium Deception by the mobile security company, ran from March 2025 to mid-January 2026.
mid-January 2026
Zimperium's zLabs research team identified the Premium Deception Android malware campaign.
Click on any entity below to view its context and source!
organisation
Zimperium's
According to
new analysis
from Zimperium's zLabs research team, the operation, dubbed Premium Deception by the mobile security company, ran from March 2025 to mid-January 2026.
organisation
Premium Deception
According to
new analysis
from Zimperium's zLabs research team, the operation, dubbed Premium Deception by the mobile security company, ran from March 2025 to mid-January 2026.
January 2026
The threat actors used modobomz[.]com to target users by impersonating widely recognized brands such as Facebook Messenger, Instagram Threads, TikTok and DiGi.
Click on any entity below to view its context and source!
infrastructure
Android
The OTP is then harvested through abuse of Google's SMS Retriever API, a legitimate Android feature designed to read confirmation codes automatically without prompting the user.
To defend against this and similar threats, users should avoid sideloading Android apps from third-party stores, audit installed apps against trusted brand names and review recent mobile bills for unexplained subscription charges.
organisation
Google
The OTP is then harvested through abuse of Google's SMS Retriever API, a legitimate Android feature designed to read confirmation codes automatically without prompting the user.
organisation
TikTok
The fake apps impersonate widely recognized brands, including Facebook Messenger, Instagram Threads, TikTok, Minecraft and Grand Theft Auto.
organisation
SIM
After reading the device's SIM operator code and matching it against a hardcoded list, the malware disables Wi-Fi to force traffic onto the cellular network, loads DiGi's official billing portal in a hidden WebView and runs JavaScript to click the "Request TAC" button, fill in the intercepted one-time password (OTP) and confirm the subscription.
organisation
DiGi
After reading the device's SIM operator code and matching it against a hardcoded list, the malware disables Wi-Fi to force traffic onto the cellular network, loads DiGi's official billing portal in a hidden WebView and runs JavaScript to click the "Request TAC" button, fill in the intercepted one-time password (OTP) and confirm the subscription.
organisation
WebView
After reading the device's SIM operator code and matching it against a hardcoded list, the malware disables Wi-Fi to force traffic onto the cellular network, loads DiGi's official billing portal in a hidden WebView and runs JavaScript to click the "Request TAC" button, fill in the intercepted one-time password (OTP) and confirm the subscription.
organisation
OTP
After reading the device's SIM operator code and matching it against a hardcoded list, the malware disables Wi-Fi to force traffic onto the cellular network, loads DiGi's official billing portal in a hidden WebView and runs JavaScript to click the "Request TAC" button, fill in the intercepted one-time password (OTP) and confirm the subscription.
organisation
Built For Optimization
The
Built For Optimization
The campaign infrastructure points to a well-organized commercial operation.
organisation
modobomz[.]com
zLabs identified at least 12 premium SMS short codes being abused across the four targeted countries, alongside C2 infrastructure spanning the modobomz[.]com and mwmze[.]com domains.
2026/05/20
Android was used to create nearly 250 fake apps that were installed on mobile devices and signed victims up to premium services.
Click on any entity below to view its context and source!
infrastructure
Android
A 10-month Android malware campaign has used nearly 250 fake apps to sign victims up to premium services on their mobile bills, with hardcoded operator targeting for users in Malaysia, Thailand, Romania and Croatia.
Android Malware Campaign Used Hundreds of Fake Apps to Silently Charge Users.
Tactical Metrics
Metrics
infrastructure
Android
Affected Product
Click for context!
A 10-month Android malware campaign has used nearly 250 fake apps to sign victims up to premium services on their mobile bills, with hardcoded operator targeting for users in Malaysia, Thailand, Romania and Croatia.
Android Malware Campaign Used Hundreds of Fake Apps to Silently Charge Users.
The OTP is then harvested through abuse of Google's SMS Retriever API, a legitimate Android feature designed to read confirmation codes automatically without prompting the user.
To defend against this and similar threats, users should avoid sideloading Android apps from third-party stores, audit installed apps against trusted brand names and review recent mobile bills for unexplained subscription charges.
Intelligence Sources
Infosecurity-Magazine
2026-05-20
Android Malware Campaign Used Hundreds of Fake Apps to Silently Charge Users
Infosecurity-Magazine
Infosecurity-Magazine
2026-05-20
Android Malware Campaign Used Hundreds of Fake Apps to Silently Charge Users
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:35
Comprehensive Tactical Telemetry
Highly Correlated Entities
10x
organisation
Identified Entity
TikTok
entity
4x
target region
Target Country
Malaysia
country
3x
timeline
Temporal Reference
10-month
date
3x
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
Contextual Telemetry
Context Block
5 METRICS
infrastructure
Affected Product
Android
software
general metric
Fake Apps
250
fake apps
tactic
Cyber Operation Type
Impersonate
tactic
campaign
Campaign
Campaign Used Hundreds
operation
general metric
Premium
12
premium
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.