Over 200 fake Android apps are secretly ripping off users.
A large-scale malware campaign is targeting Android users with hundreds of fake apps mimicking popular games and social networks, silently subscribing to paid services to steal money through their mobile phone bills.
Cybersecurity experts at the US-based cybersecurity company Zimperium have just discovered a sophisticated fraud campaign using nearly 250 malicious Android applications to trick users into signing up for paid services without their knowledge.
These apps are disguised as popular games and social media platforms such as TikTok, Minecraft, Grand Theft Auto, Threads, or Facebook Messenger.
Once installed, these apps secretly register victims for premium content services, causing users to be charged directly through their phone bills or mobile network accounts.

According to Zimperium, this campaign was tracked from March 2025 to at least January 2026 and was particularly active in Malaysia, Romania, Thailand, and Croatia.
The malware only activates with the targeted network provider.
The dangerous aspect of the campaign lies in its ability to select targets with extreme precision. The malware reads the SIM card information on the device to determine the victim's carrier before launching the attack.
If the user is not part of the targeted carrier group, the app will only display harmless websites to avoid detection. But if the device uses the correct carrier that was pre-programmed, the malware will trigger the phishing process.
In many cases, the fake app asks users to “verify game account” or “verify service,” thereby stealing the OTP code sent via SMS.
To carry out this act, hackers exploited Android's SMS collection API to intercept one-time passwords before automatically sending JavaScript commands to carrier payment gateways.
Three malware variants with sophisticated operating mechanisms.
According to researchers, the campaign used three different malware variants, all sharing the same goal: to steal money through the mobile network's payment services.
The first variant focused on automatically subscribing to paid service packages. This was also the most sophisticated version, capable of reading SIM cards and only activating on carriers with pre-encrypted codes.
The second variant primarily targets users in Thailand via premium SMS. The malware uses a multi-layered mechanism to avoid detection, where the application displays a legitimate interface on the front but secretly opens hidden WebViews to access payment gateways.
Additionally, the attackers used cookie-stealing techniques to maintain login sessions with the network provider's payment system.
Meanwhile, the third variant combines SMS phishing with a real-time notification system via Telegram, allowing hackers to directly monitor successfully infected devices and optimize their attack operations.
Google has spoken out, but experts remain concerned.
According to Dark Reading, Google claims that the aforementioned malicious applications do not appear on the Google Play store.
Google also stated that the Google Play Protect feature, enabled by default on Android devices, can automatically protect users against known malware variants.
However, many experts believe the incident highlights the growing vulnerabilities in the Android app ecosystem, especially as hackers continuously exploit legitimate features for their own attack purposes.
Security experts believe these are not hard-to-detect vulnerabilities, but rather common platform features that are not yet sufficiently regulated to prevent abuse.
What can Android users do to protect themselves?
Experts advise users to only download applications from trusted sources and avoid installing APK files from third parties or links of unknown origin.
Additionally, users should regularly check their phone bills, review any unusual subscriptions, and enable protective features such as Google Play Protect.
In the context of increasingly sophisticated malware campaigns, experts suggest that technology companies need to change their approach to application security instead of relying solely on traditional censorship mechanisms.