Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
Malware

Android.Subscription

Android.Subscription is an Android trojan family identified by Doctor Web that is designed to subscribe victims to paid mobile services. Doctor Web reported multiple Android.Subscription samples on Google Play, including Android.Subscription.23 and Android.Subscription.24, and stated these trojan apps used Wap Click flows to enroll users in paid subscriptions. The family was discussed alongside Android.Joker as part of recurring malicious Google Play activity in Q1 and Q2 2026. According to the provided content, Android.Joker and Android.Subscription apps discovered on Google Play were downloaded at least 2.6 million times in total, and Android.Subscription.23 and Android.Subscription.24 alone were downloaded more than 1.5 million times. The content directly attributes the family’s core behavior to fraudulent paid-service subscription abuse on Android devices distributed through Google Play. No specific threat actor, industry targeting, or concrete IOC set is provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence1

Over the past three months, Doctor Web’s virus analysts discovered new threats on Google Play. Among them were Android.Joker and Android.Subscription trojans, which subscribe users to paid services.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.