Android Carrier Billing Fraud Campaign Exposed by zLabs

Security experts recently discovered a massive mobile cyberattack targeting smartphone users globally. Specifically, a massive Android carrier billing fraud campaign has compromised thousands of devices across several regions. According to the mobile security firm zLabs, the operation uses malicious applications to steal money from victims. Consequently, users face unauthorized charges on their monthly phone bills without their knowledge.

Deceptive Applications and Reach

The threat actors utilize a large distribution network to maximize their operational reach. According to the official report, “zLabs has identified a sophisticated Android malware campaign conducting carrier billing fraud through premium SMS abuse across Malaysia, Thailand, Romania, and Croatia.” To achieve this, the hackers designed almost 250 malicious applications. These fake programs selectively target users based on their specific mobile operators. For example, the campaign creates realistic duplicates of popular software like Facebook Messenger, TikTok, and Minecraft. Therefore, unsuspecting victims download the utilities thinking they are legitimate apps.

The Three Sophisticated Malware Variants

Researchers identified three distinct versions of the threat during their deep technical analysis. Each variant handles mobile exploitation with different levels of technical complexity. To begin with, the first type utilizes an automated subscription engine to bypass user authentication.

Variant One: Automated Subscription Engine

The report notes that “This variant represents the most sophisticated approach, combining multiple deception techniques to complete premium service subscriptions entirely without user knowledge.” First, it reads the local SIM card data to verify the cellular network. If it detects a target operator, the fraud workflow begins immediately. Furthermore, the program abuses the native SMS Retriever API to intercept one-time validation codes. It then injects malicious JavaScript into hidden background portals to execute automated clicks.

Variant Two: Cookie Theft and Browser Hijacking

Meanwhile, the second variant focuses heavily on browser manipulation and security bypasses. This package specifically targets mobile users in Thailand through delayed text messaging patterns. Additionally, it intercepts browser sessions to capture active authentication keys. Crucially, “The malware extracts these cookies using Android’s Cookie Manager API and can use them to maintain authenticated sessions with the carrier’s billing system.” As a result, the attackers can sustain unauthorized access over long periods.

Variant Three: Telegram Bot Integration

Finally, the third variant implements a real-time tracking architecture for operational optimization. It connects compromised devices directly to a private Telegram channel controlled by the threat actors. Therefore, the hackers receive instant data logs whenever a new infection succeeds. These exfiltrated records contain precise device metadata, timestamps, and operator codes. Thus, the command structure can evaluate which distribution campaigns generate the highest financial returns.

Infrastructure and Mitigation

The malicious infrastructure remains partially live and poses an active threat to global mobile security. To execute this Android carrier billing fraud, the group operates a distributed network of primary command domains. For instance, domains like modobomz.com manage advanced campaign analytics and referrer tracking data. To protect mobile devices, administrators recommend inspecting monthly statements for anomalous billing activities. Furthermore, users should strictly avoid downloading applications from unverified third-party web portals.