A persistent cyberattack, which started in December 2026 and continues to this day, is targeting mobile users in Armenia, combining old-school social engineering with custom-built malware to drain bank accounts. CyberHUB-AM was called on to provide incident response in several such cases, and since many of those attacks are succeeding, we decided to provide this write-up to warn possible victims and inform the incident responders.
Here is how the “Ucom 5G” scam works and how you can protect yourself.
- The “Official” Phone Call
The victim receives a call from a French phone number (+33 6 80 16 83 31, +33 6 40 01 89 95 and similar). The caller speaks Russian and claims to be a representative of Ucom. They inform the user that 4G equipment across Armenia is being decommissioned and that a manual “upgrade” is required to maintain service.
- The Screen-Sharing Trap
The attacker persuades the victim to move the conversation to WhatsApp and turn on WhatsApp screen sharing under the guise of “guiding” them through the 5G configuration. This allows the criminal to see everything on the user’s screen in real-time, including passwords, PIN codes, and banking interfaces.
- Disabling Security & Installing Malware
With the screen visible, the attacker guides the user to disable the phone’s built-in security settings (like “Install from Unknown Sources”) and send a link to download “configuration software.” In reality, these are two malicious Android packages (APKs), which come in different names, for examples – here are the ones that we’ve seen so far:
- dispatcher.redactor.shuffler
- subsystem.quantizer.orchestrator
- poller.activatorx.translator
Technical Sophistication
Our forensic analysis of the infected device revealed that this isn’t amateur hour. The malware uses advanced evasion techniques:
- Fake Indicators: The apps contain hardcoded strings for “5G+LTE”. Once installed, they display a fake network status to convince the victim that the “upgrade” actually worked.
- Anti-Forensics: The APKs use corrupted internal ZIP structures (e.g., AndroidManifest.xml/..xml) designed to crash security scanners and antivirus tools.
- Deceptive Naming: The apps use jargon-heavy names to look like critical system components, discouraging the user from uninstalling them.
- Disabling System Settings Accerss: Once istalled, the apps actively resist uninstallation, by crashing access to the play store, System settings, phone reset options and we were only able to delete them by connecting to the phone via USB and using ADB commands to download the malacious APKs for analysis and deleting them.
The Financial Goal
Once the malware was active and screen sharing was enabled, the attackers accessed the victim’s banking app. They transferred existing funds and utilized the online loans features to maximize their theft before the victim realized what was happening.
How to Stay Safe
- Ucom (and other operators) will never call you to request screen sharing. If someone asks you to share your screen via WhatsApp or Zoom for “technical support,” hang up immediately.
- Never install apps via links sent in chats. Only use the official Google Play Store or Apple App Store.
- Ignore “Urgent” Network Deadlines. In the recorded call, the attacker claimed it was the “last day” for 4G. Legitimate network transitions take months or years and are announced through official public channels.
- Check for suspicious apps. If your phone shows a “5G” icon that looks slightly different or appeared after installing an unknown file, you may be compromised.
If you believe you have been targeted, immediately contact your bank to freeze your accounts and perform a factory reset on your device.
This report was compiled by Artur Papyan, threat researcher with CyberHUB-AM, following an active incident response