Threat players are using malicious Android apps to con users into signing up for a bogus premium SMS subscription service, which results in big charges accruing on their phone bills.
Ultima SMS uses at least 151 apps that have been downloaded more than 10m times, to extort money through a fake premium SMS subscription service.
Ultima Keyboard Pro
Jakub Vavra from the threat operations team of security firm Avast uncovered the campaign, which he dubbed Ultima SMS because one of the 1st apps he discovered being used to scam people was called Ultima Keyboard Pro, he explained in a blog post published Mon.
“The fake apps I found feature a wide range of categories such as custom keyboards, QR code scanners, video & photo editors, spam call blockers, camera filters, & games, among others,” Vavra wrote in the post.
Google Play Store
The campaign — which appears to have started in May & is ongoing — is comprised of at least 151 apps that at 1 point or another have been available on the Google Play Store; collectively they have been downloaded more than 10.5m times.
All are “essentially copies of the same fake app used to spread the premium SMS scam campaign,” Vavra explained, which he outlined likely indicates that 1 bad player or group is behind the entire campaign.
Citing insights from mobile marketing intelligence firm Sensor Tower, he stated the campaign appears to be global, ensnaring users from more than 80 countries.
“The apps have been most downloaded by users in the Middle East, such as Egypt, Saudi Arabia, Pakistan, followed by users in the US & Poland,” Vavra explained.
How It Works
The threat player behind the campaign is spreading Ultima SMS with “numerous catchy video advertisements” posted on advertising channels of social-media sites like Facebook, Instagram & TikTok, Vavra outlined.
If an Android user takes the bait & installs one of the apps, it checks their location, International Mobile Equipment Identity (IMEI), & phone number to determine which country area code & language to use for the fraud, according to the post.
“Once the user opens the app, a screen, localised in the language their device is set to, prompts them to enter their phone number, & in some cases email address, to gain access to the app’s advertised purpose,” Vavra wrote.
Once the user enters the details, the app subscribes him or her to a premium SMS service which sends texts to a short-coded number — each text results in a charge for the user. These charges can total upwards of $40 per month depending on the country & mobile carrier.
Instead of unlocking the apps’ advertised features, the apps will either display further SMS subscriptions options or stop working altogether, he explained.
“The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions,” Vavra wrote.
Reading the Fine Print
In fact, some of the apps actually describe this intention to users in fine print; however, not all of them extend this courtesy, “meaning many people who submitted their phone numbers into the apps might not even realise the extra charges to their phone bill are connected to the apps,” he explained.
The apps collect premium SMS charges from subscribers typically to the maximum limit possible for their particular country, according to Avast. Sometimes carriers will alert users of the excessive charges, but they also may go unnoticed for weeks or months, Vavra wrote.
Protect Yourself from Android Scams
To avoid being defrauded by the Ultima SMS con, users should follow the same common-sense vigilance and protocols for downloading & purchasing new apps: Check reviews 1st; read the fine print; do not enter a phone number unless you trust the app; & only use official app stores.
People also can disable premium SMS with their wireless carrier so threat players cannot abuse the service; this is something that is especially important to do with devices that parents give to children, as they are more likely to fall for cons using colourful & catchy ads, Vavra wrote.
“Based on some of the user accounts that left negative reviews, it looks like children are among the victims” of Ultima SMS, making this step especially important, he concluded.