diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md
index 01b7ad48f7b..1dad410bbbc 100644
--- a/src/mobile-pentesting/android-app-pentesting/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/README.md
@@ -127,6 +127,48 @@ Instead of custom sockets, some malware uses **Firebase Cloud Messaging (FCM)**
 
 Native payloads can be delivered as encrypted ELF blobs and decrypted with `CipherInputStream()`, using a key **derived from SHA‑1 of the downloaded filename**. Each filename/version yields a distinct key, hindering static IOC reuse.
 
+### Carrier-billing / premium-SMS fraud tradecraft
+
+Some Android fraudware focuses on **charging the victim through the mobile operator path** instead of stealing banking credentials. The common pattern is to only activate when the SIM/operator matches a hardcoded or remotely supplied target list (**MCC/MNC / operator name / operator code**) and otherwise show benign content to reduce analyst exposure.
+
+Typical workflow:
+- Read telephony identifiers and **gate execution by operator/country**.
+- If needed, **disable Wi‑Fi** so carrier portals see the victim coming from the mobile network.
+- Open the carrier billing flow in a **hidden `WebView`** while the foreground UI shows unrelated content.
+- Use JavaScript to press **Request OTP / Confirm** buttons and fill subscription forms.
+- Capture the billing OTP with the **SMS Retriever API** or direct SMS access, then inject it into the hidden `WebView`.
+- Fall back to **premium SMS** enrollment by sending keywords to short codes when the operator flow is SMS-based.
+- Exfiltrate cookies, HTML, operator metadata, and conversion status to tune selectors and campaign analytics.
+
+Interesting implementation details to hunt for during reversing:
+- **Operator gating:** `TelephonyManager.getSimOperator()`, `getSimOperatorName()`, `getNetworkOperator()` plus hardcoded MCC/MNC lists.
+- **Hidden WebViews:** off-screen/minimized `WebView` objects loading carrier URLs while the visible UI keeps the user distracted.
+- **JS-driven fraud:** `evaluateJavascript(...)` / `loadUrl("javascript:...")` used to click billing buttons or populate TAC/OTP fields.
+- **OTP interception without `READ_SMS`:** malware can abuse Google's [SMS Retriever API](https://developers.google.com/android/reference/com/google/android/gms/auth/api/phone/SmsRetrieverApi) to receive OTP-style messages that match the retriever flow.
+- **Cookie theft:** `CookieManager.getInstance().getCookie(<billing_url>)` after loading the carrier page to reuse the WebView billing session.
+- **Delayed SMS scheduling:** premium SMS sends spaced by 60-90 seconds to look less bursty and bypass anti-fraud heuristics.
+- **Telemetry over public services:** Telegram Bot API or similar SaaS channels used as a lightweight install / send-status / operator-reporting backend.
+
+Quick triage ideas:
+```bash
+rg -n 'getSimOperator|getNetworkOperator|SmsRetriever|startSmsRetriever|sendTextMessage|CookieManager|getCookie|setWifiEnabled|evaluateJavascript|javascript:' .
+```
+
+```javascript
+Java.perform(() => {
+  const CM = Java.use('android.webkit.CookieManager');
+  CM.getCookie.overload('java.lang.String').implementation = function (url) {
+    console.log('[CookieManager] ' + url);
+    return this.getCookie(url);
+  };
+});
+```
+
+Testing notes:
+- Force different operator paths in the emulator/device by hooking `TelephonyManager` getters or patching Smali constants.
+- Watch for **network changes** before the billing page is opened; toggling Wi‑Fi can be the signal that the malware needs the operator-authenticated path.
+- If the sample keeps a benign page visible, inspect for **secondary/off-screen WebViews** and dump both the HTML and cookies after each carrier portal load.
+
 ### OEM system-app droppers and `customer.prop` root backdoors
 
 Cheap Android TVs/projectors and other OEM devices sometimes ship with **privileged system apps** signed with **AOSP test keys** or an OEM platform key, plus **weak boot-property handling**. Treat these builds as both an Android-app and firmware target: the system app can act as a **dropper**, while insecure OEM partitions can turn **ADB over TCP** into a repeatable root backdoor.
@@ -1091,5 +1133,8 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [BeatBanker: A dual‑mode Android Trojan](https://securelist.com/beatbanker-miner-and-banker/119121/)
 - [Pre-installed C2 Infrastructure and RAT Payload on Android Projectors](https://github.com/Kavan00/Android-Projector-C2-Malware)
 - [Reverse-engineering pre-installed Android malware with Claude Code](https://zanestjohn.com/blog/reing-with-claude-code)
+- [Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign](https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign)
+- [SmsRetrieverApi reference](https://developers.google.com/android/reference/com/google/android/gms/auth/api/phone/SmsRetrieverApi)
+- [Android `CookieManager` reference](https://developer.android.com/reference/android/webkit/CookieManager)
 
 {{#include ../../banners/hacktricks-training.md}}