Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign

MITRE Techniques

• [T1476 ] Deliver Malicious App via Other means – Malicious apps were distributed through social media and search engines while masquerading as legitimate software (‘Malicious applications distributed through social media platforms (Facebook, TikTok) and search engines (google) masquerading as legitimate’).
• [T1603 ] Scheduled Task/Job – The malware scheduled SMS fraud actions at delayed intervals to evade detection (‘It schedules delayed messages at 60 seconds and 90 seconds after the initial burst’).
• [T1628.001 ] Hide Artifacts: User Evasion – On non-targeted operators, it displayed benign web content to avoid suspicion (‘When non-targeted operators are detected, displays legitimate content … to avoid suspicion’).
• [T1422 ] System Network Configuration Discovery – It checked SIM operator codes to determine whether the device belonged to a targeted carrier (‘checks SIM operator codes … to identify mobile carrier and determine whether victim should be targeted’).
• [T1426 ] System Information Discovery – It collected device metadata such as device ID, model, OS version, IP address, and user agent for tracking (‘Collects device metadata including device ID, model, operating system version, IP address, and user agent’).
• [T1412 ] Capture SMS Messages – It used the Google SMS Retriever API to automatically capture OTP messages for billing confirmation (‘abuse of Google’s SMS Retriever API to intercept carrier billing confirmation codes’).
• [T1417 ] Input Capture – It captured HTML source from loaded webpages and carrier billing portals to monitor and optimize the attack (‘captures the HTML source of every page loaded in the background and sends it to the attackers’ server’).
• [T1437.001 ] Application Layer Protocol: Web Protocols – It communicated with C2 infrastructure over HTTPS to fetch targets and send reports (‘Communicates with C2 servers via HTTPS to fetch dynamic subscription targets’).
• [T1646 ] Exfiltration Over C2 Channel – It exfiltrated metadata, HTML source, subscription status, and tracking data to attacker servers (‘Exfiltrates device metadata, HTML source code, subscription status, and tracking data’).
• [T1643 ] Carrier Billing Fraud – The malware subscribed victims to premium services without consent using WebView manipulation, JavaScript injection, OTP interception, and direct SMS sending (‘Subscribes victims to premium SMS services without consent’).
• [T1582 ] SMS Control – It sent unauthorized premium SMS messages, disabled WiFi to force cellular connectivity, and scheduled delayed messages (‘Sends unauthorized premium SMS messages to short codes’).