Threat actors have been using malicious Android applications to scam users into signing up for a bogus premium SMS subscription service, which results in big charges accruing on their phone bills.
Security firm Avast uncovered the campaign, which has been dubbed UltimaSMS, because one of the first apps discovered as being used to scam people was called Ultima Keyboard Pro. Researchers said: “The fake apps found feature a wide range of categories such as custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, among others”.
Essentially, the campaign comprises of at least 151 apps that at one point or another have been available on the Google Play Store – and collectively they’ve been downloaded over 10.5 million times. Google has since removed some of flagged apps from the store, but there are likely others. Of course, this isn’t the first time that Google Play has been plagued by fake apps which are spreading malware.
All of the offerings are, “essentially copies of the same fake app used to spread the premium SMS scam campaign”, which indicates that one set of cyber criminals are behind the attack.
The threat actor behind the campaign is spreading UltimaSMS through “numerous catchy video advertisements” posted on advertising channels of social media sites such as Facebook, Instagram and TikTok. If an Android user takes the bait and installs one of the apps, it checks their location, International Mobile Equipment Identity (IMEI), and phone number to determine which country area code and language to use for the scam
Once a user enters their details, the app subscribes them to a premium SMS service which sends texts to a short-coded number — each text results in a charge for the user. These charges can total upwards of £30 per month depending on the country and mobile carrier. And, instead of unlocking the apps’ advertised features, the apps will either display further SMS subscriptions options or stop working altogether
In fact, some of the apps describe this intention to users in fine print; however, not all of them extend this courtesy, “meaning many people who submitted their phone numbers into the apps might not even realize the extra charges to their phone bill are connected to the apps,” he explained.
The apps collect premium SMS charges from subscribers typically to the maximum limit possible for their particular country, according to Avast. To avoid being defrauded by the UltimaSMS scam, users should follow the same common-sense vigilance and protocols for downloading and purchasing new apps:
- Check reviews first
- Read the fine print
- Don’t enter a phone number unless you trust the app
- Only use official app stores
Businesses and users can disable premium SMS with their network carrier so cyber criminals can’t abuse the service.