Over 10 Million Android Users Targeted With Premium SMS Scam Apps

A global fraud campaign has been found leveraging 151 malicious
Android apps with 10.5 million downloads to rope users into premium
subscription services without their consent and knowledge.

The premium SMS scam^[1]
campaign — dubbed “UltimaSMS^[2]” — is believed to
commenced in May 2021 and involved apps that cover a wide range of
categories, including keyboards, QR code scanners, video and photo
editors, spam call blockers, camera filters, and games, with most
of the fraudulent apps downloaded by users in Egypt, Saudi Arabia,
Pakistan, the U.A.E., Turkey, Oman, Qatar, Kuwait, the U.S., and
Poland.

Although a significant chunk of the apps^[3]
in question has since been removed from the Google Play Store, 82
apps continued to remain available in the online marketplace as of
October 19, 2021.

It all starts with the apps prompting users to enter their phone
numbers and email addresses to gain access to the advertised
features, only to subscribe the victims to premium SMS services
that can charge north of $40 per month depending on the country and
mobile carrier.

“Instead of unlocking the apps’ advertised features, which users
might assume should happen, the apps will either display further
SMS subscriptions options or stop working altogether,” Avast
researcher Jakub Vávra said.

The UltimaSMS adware scam is also notable for the fact that it’s
distributed via advertising channels on popular social media sites
such as Facebook, Instagram, and TikTok, luring unsuspecting users
with what the researchers say are “catchy video
advertisements.”

Aside from uninstalling the aforementioned apps, users are
recommended to disable the premium SMS option with the carriers to
prevent subscription abuse. “Based on some of the user accounts
that left negative reviews, it looks like children are among the
victims, making this step especially important on children’s
phones, as they may be more susceptible to this type of scam,”
Vávra said.