Android Malware ‘Premium Deception’ Auto-Subscribes Millions—Your Bill Is the Next Target

Listen to this Post

Featured Image
Introduction: A sophisticated Android malware campaign dubbed “Premium Deception” has silently operated from March 2025 to mid-January 2026, using nearly 250 fake apps to enroll victims in costly mobile subscriptions without any user awareness. The fraud exploits carrier billing systems, allowing attackers to generate revenue directly through victims’ phone bills by abusing legitimate Android components like WebView and Google’s SMS Retriever API. This campaign selectively targets mobile operators in Malaysia, Thailand, Romania, and Croatia, employing advanced evasion techniques to avoid detection on non-targeted devices.

Learning Objectives:

  • Identify and analyze the three malware variants of the Premium Deception campaign, including their SIM-based targeting, automated subscription workflows, and evasion mechanisms
  • Master Android malware detection techniques using ADB logcat, permission auditing, and behavioral analysis of hidden WebView activities
  • Implement practical mitigation strategies, including OSINT investigation of malicious domains, SMS permission restrictions, and enterprise mobile threat defense configurations

You Should Know:

1. Dissecting the Automated Subscription Engine

The most sophisticated variant initiates by reading the device’s SIM card data to match against a hardcoded list of targeted mobile operators across Malaysia, including DiGi, Celcom, Maxis, and U Mobile. Upon a successful match, the malware proceeds to execute its fraud workflow. A striking case involves DiGi subscribers, where the malware disables Wi-Fi to force traffic onto the cellular network, loads DiGi’s official billing portal in a hidden WebView, and runs JavaScript to automatically click the “Request TAC” button, fill in the intercepted OTP, and confirm the subscription. The One-Time Password is harvested through abuse of Google’s SMS Retriever API, a legitimate feature that normally simplifies OTP reading for apps.

Step‑by‑Step Android Security Auditing Guide

To detect such hidden subscription activities, security analysts can use the following commands on a non-rooted test Android device:

  1. Enable USB Debugging and Monitor Logcat for Suspicious WebView Activity:
    Connect device via USB and run logcat with WebView filtering
    adb logcat | grep -i "webview|javascript|billing"
    
    For more targeted monitoring of overlay and hidden window creation
    adb logcat | grep -i "WindowManager|addView|SYSTEM_ALERT_WINDOW|overlay"
    

2. Audit Installed Apps for Unnecessary SMS Permissions:

 List all packages with SMS permission
adb shell pm list permissions -g | grep -B5 -A10 "android.permission.READ_SMS"

3. Check Running Processes for Suspicious Background Services:

adb shell ps | grep -v "system|com.google|com.android"

4. Simulate Malware Detection using MobSF:

Static analysis can be performed using the Mobile Security Framework (MobSF) to identify embedded C2 domains such as apkafa[.]com, modobomz[.]com, and `mwmze[.]com` within application APKs. This approach allows analysts to uncover hidden WebView URLs and JavaScript injection logic without executing the malware.

2. Command-and-Control Dynamics and Evasion Tactics

The second variant targets Thai users with a multi-stage attack structure that fetches dynamic subscription targets from a C2 server, scheduled delayed SMS transmissions at 60 and 90-second intervals to defeat automated fraud detection, and harvested session cookies from hidden carrier billing pages using Android’s CookieManager. This variant’s capability to dynamically change subscription instructions without pushing a new app version demonstrates a high level of operational agility. The third variant introduces real-time Telegram reporting, where each infection, permission grant, or premium SMS transmission triggers an instant message to a private attacker-controlled channel containing device ID, carrier name, and action details.

When deployed on a device whose SIM operator falls outside the target list, the malware silently displays a benign webview of `apkafa.com` to avoid suspicion, a behavior mapped to MITRE ATT&CK technique T1628.001. This fallback mechanism allows the malware to remain persistent without raising alerts, increasing its chances of staying installed for extended periods.

Step‑by‑Step C2 Investigation and Threat Hunting

To investigate and block C2 infrastructure associated with this campaign:

1. DNS and Domain Analysis for Hunting:

 Query domain reputation using VirusTotal API
curl --request GET --url "https://www.virustotal.com/api/v3/domains/apkafa.com" --header "x-apikey: YOUR_API_KEY"

Extract all domains from a suspicious APK
strings suspicious.apk | grep -E "(http|https)://[a-zA-Z0-9./?=_-]" | sort -u

2. Static Analysis of Network Communication Patterns:

 Analyze the APK's network traffic using a proxy tool like Burp Suite or mitmproxy
mitmproxy --listen-port 8080
 Configure Android device to use proxy and set up mitmdump to record traffic
mitmdump -w traffic.log

3. Real-time Network Monitoring for IoCs:

 Monitor DNS queries for malicious domains
adb shell dumpsys connectivity | grep -E "modobomz.com|mwmze.com|apkafa.com"

Block these domains at the network perimeter using firewall rules or DNS sinkholing to prevent communication with attacker-controlled infrastructure.

4. Reverse Engineering Malicious JavaScript Injection:

 Extract classes.dex from APK and convert to JAR
d2j-dex2jar.sh suspicious.apk -o output.jar
 Use JD-GUI to browse decompiled code and search for "WebView","addJavascriptInterface","loadUrl"

This analysis reveals how the malware injects JavaScript into carrier billing portals to automate subscriptions.

3. Exploitation of Legitimate Android Components

The campaign’s effectiveness stems from its abuse of legitimate Android features rather than exploiting unknown vulnerabilities. By deeply misusing WebView, SMS Retriever API, accessibility services, and network management controls, the malware bypasses traditional antivirus engines, app store reviews, and static feature detection. This technique underscores a growing trend where attackers weaponize standard functionality to achieve malicious goals without triggering security alerts.

Step‑by‑Step Hardening Guide to Mitigate Abuse

  1. Restrict SMS Permissions and Disable SMS Retriever API Abuse:
    Disable automatic SMS verification for sensitive apps where possible
    adb shell settings put global sms_auto_verification 0
    
    Audit which apps have READ_SMS and SEND_SMS permissions
    adb shell dumpsys package permissions | grep -E "READ_SMS|SEND_SMS" -B10
    

2. Configure Android Enterprise Restrictions for Managed Devices:

Work profiles should be configured with policies that block installation from unknown sources, disable USB debugging in production environments, and restrict background WebView execution using Managed Google Play.

3. Deploy Mobile Threat Defense (MTD) Solutions:

Enterprises should implement MTD platforms that monitor for the IoCs identified in this campaign, including:
– Detection of apps using hidden WebView components
– Monitoring for SMS Retriever API abuse patterns
– Behavioral blocking of automated billing portal interactions

4. Educate Users on App Vetting Practices:

Users must verify app legitimacy by checking developer details, review counts, and requested permissions before installation. Any app requesting SMS or notification access should be treated with extreme skepticism.

4. Referrer Tracking and Commercial Optimization

The campaign incorporates a sophisticated HTTP referrer header in the format {FakeAppName}-{Country}-{Platform}-{OperatorCode}, enabling attackers to measure which fake personas and distribution channels drive the most successful infections. This level of tracking suggests a well-organized commercial operation that treats malware distribution as a revenue-generating business, optimizing campaigns based on performance metrics.

Step‑by‑Step OSINT Investigation of Distribution Networks

1. Investigate Distribution Channels:

 Search for malicious APKs on Telegram using known hashes
 Use OSINT tools like Telegago to search for channels distributing modded apps
 Monitor social media for fake giveaway campaigns promoting "cracked" versions of premium apps

2. Extract and Analyze Referrer Headers:

 Intercept HTTP traffic to capture referrer headers used in the malware
tcpdump -i eth0 -s 0 -w malware_traffic.pcap
 Use Wireshark to filter for HTTP referrer fields containing the pattern
http.referer contains "Facebook" or http.referer contains "TikTok"

3. Create YARA Rules for Detection:

rule PremiumDeception_ReferrerTracker {
strings:
$ref1 = /.-(MY|TH|RO|HR)-./ wide ascii
$ref2 = "referrer" wide ascii
condition:
any of them
}

What Undercode Say:

  • The “Premium Deception” campaign represents a paradigm shift in Android malware, weaponizing standard components like WebView and the SMS Retriever API to achieve financial fraud without exploiting vulnerabilities. This approach makes detection difficult because the malicious behavior blends with legitimate app functionality.
  • The commercial-grade tracking infrastructure and dynamic C2 updates indicate a mature cybercriminal operation that optimizes campaigns based on real-time metrics. Enterprises should update their mobile security strategies to focus on behavioral monitoring and permission auditing rather than relying solely on signature-based detection.

Prediction:

This campaign’s success will likely inspire a new wave of Android malware that exploits legitimate APIs for financial gain, particularly in developing markets where carrier billing is prevalent. Attackers will increasingly adopt geofencing and carrier-specific targeting to maximize ROI while minimizing detection. Future variants may integrate AI-driven dynamic subscription selection and enhanced evasion techniques such as time-based activation delays and encrypted C2 communications. Mobile security vendors will need to develop heuristic models that can identify abuse patterns in WebView and SMS API usage rather than relying on static IoCs. Organizations should prioritize deploying mobile threat defense solutions capable of behavioral analysis to stay ahead of these sophisticated fraud campaigns.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky