Nearly 250 fake Android apps covertly subscribed users to paid services.

About 250 malicious Android apps disguised as TikTok, Minecraft, GTA, Instagram Threads, and other popular services were used to secretly enroll users in paid subscriptions. The campaign was uncovered by cybersecurity company Zimperium.

The malware primarily targeted users in Malaysia, Thailand, Romania, and Croatia. After installation, the apps checked the victim’s SIM card and activated only for specific mobile carriers. The attackers used SMS code interception, hidden WebViews, JavaScript injections, and cookie theft to carry out the fraud.

Researchers identified three malware variants: one automatically subscribed victims to paid services, another relied on premium SMS scams, and a third added real-time Telegram notifications for attackers to monitor successful infections.

Google stated that all identified apps have been removed from Google Play and that Android devices are protected by Google Play Protect. However, security experts argue that the incident highlights serious weaknesses in app marketplace security, as attackers continue to abuse legitimate Android features to bypass defenses.

The campaign reached its peak in September 2025, and according to researchers, parts of its infrastructure remain active today.