Kaspersky researchers have been observing fraudsters actively spreading Trojans that secretly subscribe users to paid services disguised as various mobile apps. 

Typically, these Trojans request access to users’ notifications and messages to intercept messages containing confirmation codes. Due to carelessness, users unknowingly subscribed to such services until their mobile phone accounts ran dry earlier than expected.

Kaspersky detected the most widely spread Trojans that sign users up for unwanted subscriptions, which are:


Examples of apps that spread Jocker Trojan and sign users up to unwanted subscriptions. (source: Kaspersky)

Trojans from the Trojan.AndroidOS.Jocker family can intercept codes sent in text messages and bypass anti-fraud solutions. They’re usually spread on Google Play, where scammers download a legitimate app from the store, add malicious code, and re-upload it under a different name. In most cases, these trojanized apps fulfill their purpose, and the user never suspects that they’re a source of threat. 

So far, in 2022, Jocker has most frequently attacked users in Saudi Arabia (21.20%), Poland (8.98%), and Germany (6.01%).


MobOk is considered the most active subscription Trojans, with more than 70% of mobile users encountering these threats. MobOk Trojan is particularly notable for an additional capability that enables it to bypass CAPTCHA in addition to reading the codes from messages. MobOK automatically sends the image to a service designed to decipher the code shown. 

Since the beginning of the year, MobOk Trojan has most frequently attacked users in Russia (31.01%), India (11.17%), and Indonesia (11.02%). 


Examples of fake apps used by Vesub. (Source: Kaspersky)

Vesub Trojan is spread through unofficial sources and imitates popular games and apps, such as GameBeyond, Tubemate, Minecraft, GTA5, and Vidmate. This malware opens an invisible window, requests a subscription, and then enters the code it intercepts from the victim’s received text messages. After that, the user is subscribed to a service without their knowledge or consent.

Most of these apps lack any legitimate functionality. For example, they subscribe to users when they are launched, while victims just see a loading window. However, there are some examples, such as a fake GameBeyond app, where the detected malware is accompanied by a random set of available games. 

Two out of five users who encountered Vesub were in Egypt (40.27%). This Trojan family has also been active in Thailand (25.88%) and Malaysia (15.85%).


Unlike the Trojans mentioned above, this one does not subscribe victims to a third-party service. Instead, it uses its own. Users end up subscribing to one of these services by simply not reading the user agreement carefully.

For example, some apps have recently spread intensively on Google Play, offering to tailor personal weight-loss plans for a token fee. Such apps contain small print mentioning a subscription fee with automatic billing. This means money will be deducted from the user’s bank account regularly without further confirmation from the user. 

To stay protected, Kaspersky experts also recommend:

  • Keep your guard up when installing apps from Google Play. Read the reviews, and research the developer, terms of use, and payment details. For messaging, choose a well-known app with positive reviews.
  • Check the permissions of the apps you’re using and think carefully before granting additional permissions. 
  • Use a reliable security solution to help detect malicious apps and adware before achieving their goals. 
  • Update your operating system and any essential apps as and when updates become available. Many safety issues can be solved by installing the updated versions of software.

To read more about this report, visit Securelist.com


Please enter your comment!
Please enter your name here