ACCORDING to new analysis from Zimperium's zLabs research team, Android malware campaign used hundreds of fake apps to silently sign users up to premium services on their mobile bills, with hardcoded operator targeting for Malaysia, Thailand, Romania and Croatia.
The operation, dubbed Premium Deception by the mobile security company, ran from March 2025 to mid-January 2026, and involved nearly 250 fake apps impersonating brands such as Facebook Messenger, Instagram Threads, TikTok, Minecraft and Grand Theft Auto. zLabs identified three malware variants of escalating sophistication, the most advanced targeting Malaysian DiGi subscribers
by automating the entire subscription workflow end to end, including reading the SIM operator code, disabling Wi‑Fi, loading DiGi's official billing portal in a hidden WebView and using JavaScript to harvest an OTP via Google's SMS Retriever API. A second variant targeted Thai users with a multi-stage attack that fetched dynamic subscription targets from a C2 server and harvested session cookies, while a third added real-time Telegram reporting for attackers.
The campaign abused at least 12 premium SMS short codes across four countries, and researchers note the infrastructure spanned domains such as modobomz[.]com and mwmze[.]com.