Android.Subscription
Android.Subscription is an Android trojan family identified by Doctor Web that is designed to subscribe victims to paid mobile services. Doctor Web reported multiple Android.Subscription samples on Google Play, including Android.Subscription.23 and Android.Subscription.24, and stated these trojan apps used Wap Click flows to enroll users in paid subscriptions. The family was discussed alongside Android.Joker as part of recurring malicious Google Play activity in Q1 and Q2 2026. According to the provided content, Android.Joker and Android.Subscription apps discovered on Google Play were downloaded at least 2.6 million times in total, and Android.Subscription.23 and Android.Subscription.24 alone were downloaded more than 1.5 million times. The content directly attributes the family’s core behavior to fraudulent paid-service subscription abuse on Android devices distributed through Google Play. No specific threat actor, industry targeting, or concrete IOC set is provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An Android trojan family distributed via Google Play that subscribes users to paid services.
Android trojan family that loads websites and abuses Wap Click flows to activate paid mobile subscriptions, often prompting for a phone number and attempting automatic subscription.
Android subscription trojan family that enrolls users into paid services, observed on Google Play.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.