Fake Android Apps Commit Carrier Billing Fraud for Premium Services

Cybercriminals distribute Android apps that impersonate legitimate services to execute carrier billing fraud at scale. The fake applications exploit WebView automation and JavaScript injection techniques to subscribe victims to premium services without consent, then intercept one-time passwords to complete the fraudulent transactions.

The attack chain works like this. Victims download what appears to be a legitimate app from third-party stores or phishing links. Upon installation, the malware uses WebView, Android's embedded browser component, to automate interactions with carrier billing portals. JavaScript injection then manipulates the page content to bypass security controls and pre-fill subscription forms with attacker-controlled data.

When the carrier sends an OTP to confirm the purchase, the malware intercepts it through accessibility service abuse or notification access. This allows attackers to complete the subscription without user intervention. Victims discover unauthorized charges on their phone bills weeks later, after the premium subscriptions already extracted money through multiple billing cycles.

Carrier billing fraud operates differently from credit card fraud. Phone bills integrate with user accounts and payment methods, making victims less likely to dispute charges immediately. Carriers often prioritize resolving disputes over preventing them, creating a profitable window for attackers.

The threat affects users across multiple regions. These campaigns often target users in developing markets where carrier billing represents the primary payment method for digital services. Device manufacturers and carriers have limited visibility into third-party app stores, where many of these fake applications reside.

Organizations should educate users to only download apps from official app stores like Google Play. Google Play Protect provides some detection, but malware authors continually evolve their techniques. Users should monitor phone bills for unexpected charges and disable accessibility services for untrusted applications. Device administrators should enforce app store policies across managed Android fleets and monitor for unusual carrier charges.

Carriers can implement stronger OTP verification flows, limit subscription modifications per account, and flag rapid subscription attempts. Technical