Is your phone bill higher? 200+ Android apps might secretly be stealing money from you

How the scam actually works

The scheme might seem simple, but it uses high-level hacking techniques such as JavaScript injection, one-time password interception, and WebView automation to both read your SIM card, detect your carrier, avoid detection, and automatically sign you up for fake payments.

The attack was a three-fold endeavor. The first part used "automated subscription engine" to enlist victims in premium subscriptions without their knowledge. The second one, and also the most advanced, somehow got access to the SIM card of the device and ran a check to see if the target phone uses a preferable carrier.

The third part was the one that masked the whole thing. If the carrier didn't support premium subscription, the scam showed an innocent web page. If it did, there was a clever social engineering page tricking people into thinking they're confirming a gaming account.

A little consolation for global users is that the scam was found in Romania, Malaysia, Thailand and Croatia, and it looks like it's limited to these regions.

Zimperium detected the scam more than a year ago, back in March 2025, and there's a GitHub repository where you can check for specific clues that can tell you if you're compromised.

The scam specifically targeted Malaysia

From the aforementioned regions, Malaysia accounts for 85% of all victims of this scam, as the hackers specifically targeted one Malaysian phone carrier — DiGi.

Users in Thailand and Romania constituted roughly 15% of the scam's attacks, while only 1% of Android users in Croatia were affected by the operation.

More than 10 carriers were targeted by the scam, including DiGi, Marxis, Celcom, U Mobile, Telekom, AIS, Orange, Vodafone, TrueMove H, and dtac TriNet.

These 200+ apps are not on the Play Store, according to Google

Another piece of positive news is that Google is pretty sure none of these almost 250 apps are on the Play Store. The company issued an official statement reading: "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services."

Zimperium stresses the fact that this attack shows a much bigger security problem, and steps must be taken to patch those vulnerabilities, even though the fake apps themselves can't be found on the Play Store.

The scam remains active to this day

The scam activity peaked back in September 2025, but the worrying fact is that, according to Zimperium, parts of the infastructure remain operational to this day. The last activity was spotted in January 2026, but this sleeping ticking bomb can activate at any given moment.

As always, the best practices in online cybersecurity apply here as well. Don't visit suspicious web pages. Don't download apps, games, and software in general from shady sources outside the official app stores, and carefully read pop-up pages that require you to punch in passwords and other sensitive data. Stay safe out there!