Zimperium zLabs has reported a global Android carrier-billing fraud campaign in which fake apps silently subscribed users to premium services. For Adware Guru readers, the practical issue is simple: a fake Android app can turn a normal-looking installation into unexpected SMS or phone-bill charges.
The campaign is different from a browser pop-up or notification scam, but the cleanup mindset is similar. If charges appeared after installing a game helper, social app clone, downloader, or utility, check the phone first, then check browser permissions only if pop-ups and redirects are also visible.
What Zimperium Found
Zimperium published the research on May 20, 2026 under the name “Premium Deception.” The company said the campaign used almost 250 malicious Android apps and targeted users in Malaysia, Thailand, Romania, and Croatia. The fake apps impersonated well-known brands and games, including Facebook Messenger, Instagram Threads, TikTok, Minecraft, Grand Theft Auto, and other popular apps.
The apps did not behave the same way on every phone. They checked SIM and mobile-operator information first. If the carrier was not on the target list, the app could show harmless content to avoid suspicion. Zimperium listed targeted Malaysian operators including DiGi, Celcom, Maxis, and U Mobile, and said parts of the infrastructure remained operational as of publication.
How the Billing Fraud Worked
The campaign used several variants, but the goal was consistent: enroll the victim in a paid carrier-billed or premium SMS service without clear consent.
In one variant, the app loaded hidden WebViews and used JavaScript to interact with carrier billing pages. It could request a one-time code, fill in the intercepted code, and confirm the subscription. Zimperium said the malware abused Google’s SMS Retriever API, a legitimate Android feature meant to help apps read their own verification codes, to capture carrier billing OTPs without making the real purpose obvious to the user.
In another path, the malware sent premium SMS messages directly. Zimperium listed examples such as +33293 with the keyword ON HITZ, +32133 with ON GAM1, 32128 with ON A3, and 866866 with GYGO. For Romanian targets, the report listed short codes including +1280, 4541545, +4541341, +4541753, +4541370, +4541587, +4541162, +4541352, and +4541544 with keywords such as MOGA, DA, CYGA, OK, FUVI, BM, GET, CC, VGF, HIH, and RTH.
The operation also used Telegram reporting and command-and-control infrastructure to track successful installs and subscriptions. Zimperium named domains including apizep.mwmze[.]com, modobomz[.]com, api.modobomco[.]com, onesignalmdb.modobomz[.]com, and onesignal.mwmze[.]com.
What Users May Notice
The most important warning sign may not be a scary pop-up. Users may notice a small recurring charge, premium SMS line items, unknown short-code messages, or a mobile subscription they did not intentionally approve. Some victims may also remember installing an APK or app promoted through a social post, search result, ad, or message shortly before the charges started.
On the phone itself, check for recently installed apps that imitate popular services, games, launchers, media tools, PDF readers, cleaners, or download helpers. Also review SMS permissions. A game or wallpaper app usually should not need broad SMS access, notification access, or unusual background behavior.
What to Do Now
Start with the mobile bill. Look for premium SMS, short-code, or third-party subscription charges. If you find one, contact the mobile carrier and ask whether premium SMS or carrier billing can be blocked on the account. In many cases, carrier-side blocking is the fastest way to prevent repeat charges.
Next, open Android Settings, then Apps, and review recently installed apps. Remove anything you do not recognize or anything installed outside the normal Google Play flow. Then open the Google Play Store, run Play Protect, and review app permissions under Android’s privacy or permission manager.
If the visible symptom is still browser pop-ups, fake alerts, or redirects, the issue may be separate from the billing-fraud app. Adware Guru’s Pop-up Ads and Browser Notifications Removal Guides can help separate browser notification permissions from installed-app problems. The What Is a PUP? guide is also useful when an app was technically installed by the user but behaves in an unwanted or misleading way.
Do Not Overreact to Carrier Billing Itself
Carrier billing and SMS verification are legitimate systems. The problem in this campaign is not that a carrier billing page exists or that Android supports verification-code workflows. The abuse happens when a fake app hides the billing flow, intercepts codes, sends premium SMS messages, or misleads the user about what is being approved.
This is the same distinction Adware Guru applies to browser permissions and advertising systems: the technology can be legitimate, but a deceptive app or ad flow can turn it into a user-facing scam. A related example is the fake CAPTCHA SMS scam, where a web page tried to make phones send costly international texts. Adware Guru also recently covered Trapdoor Android fake update ad fraud, another case where ordinary-looking Android apps were used for hidden monetization.
Quick Takeaway
If a phone bill suddenly includes premium SMS or third-party subscription charges, do not stop at clearing browser history. Check recent Android apps, SMS permissions, Play Protect, and carrier billing settings. Ask the carrier to block premium SMS or third-party billing if you do not use those services.
References
- Zimperium zLabs: Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign
- Zimperium IOC repository for the May 2026 carrier billing fraud campaign
Premium SMS charges can also appear after browser-based reward funnels. A newer SniperDz report shows how fake mobile-data offers combine notification abuse with premium SMS and call monetization.
