News

Fake Android Apps Drain Phone Bills Via Carrier Billing Fraud

Over 200 fraudulent Android apps are quietly charging users through their mobile carrier accounts, bypassing credit cards and digital wallets entirely.

Security researchers identified the scheme as a form of WAP billing fraud — a method that exploits wireless application protocol carrier billing to subscribe victims to paid services without their knowledge or consent.

Unlike conventional mobile malware that targets stored payment credentials, these apps charge directly to a user’s phone bill. That makes the fraud harder to detect and easier to scale.

How the Fraud Works

When a victim opens one of the malicious apps, it silently navigates to a carrier billing page in the background. It then subscribes the user to a premium-rate service, completing the transaction without any visible prompt.

In some cases, the apps disable Wi-Fi on the device temporarily. That forces the handset onto a mobile data connection, which is required for WAP billing to function.

Some variants intercept the one-time SMS confirmation codes that carriers send to authenticate such purchases. The malware reads and suppresses those messages before the user sees them.

Scale and Distribution

Researchers have flagged more than 200 apps carrying this capability. Many appeared on third-party Android app stores and were distributed through social media ads and phishing links.

Google’s own Play Store has seen periodic waves of WAP billing malware, though Google removes flagged apps after review. Third-party stores operate without equivalent oversight.

The fraud disproportionately affects users in regions where carrier billing is a primary payment method, including parts of Southeast Asia, South Asia, and sub-Saharan Africa.

Detection Is Difficult

Most users discover the charges only after reviewing an itemized phone bill. By then, subscriptions may have run for several billing cycles.

Standard antivirus tools do not always flag WAP billing malware because the apps themselves may carry no overtly destructive code. The harmful behavior activates only under specific network conditions.

Users on prepaid plans may notice a faster-than-expected depletion of credit. Postpaid subscribers tend to spot the charges later, if at all.

What Carriers and Researchers Say

Mobile security firm Zimperium documented a related WAP billing trojan family, known as GriftHorse, in a 2021 report that identified victims across more than 70 countries. Zimperium said the campaign generated hundreds of millions of dollars in fraudulent charges before researchers intervened.

The GSMA, the trade body representing mobile network operators globally, has published guidelines urging carriers to implement additional authentication layers for premium billing services. Adoption of those controls remains inconsistent across markets.

WAP billing as a technology dates to the early 2000s, when mobile operators introduced it as a frictionless way to charge users for ringtones and wallpapers. The infrastructure has persisted across successive generations of mobile networks.

Its convenience — no credit card required, no app store account needed — is precisely what makes it an attractive vector for fraud operators today.

Related Articles