Millions of Android Users Conned in SMS Fraud – Driven by Tik-Tok Ads!

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Threat players are using malicious Android apps to con users into signing up for a bogus premium SMS subscription service, which results in big charges accruing on their phone bills.

Ultima SMS uses at least 151 apps that have been downloaded more than 10m times, to extort money through a fake premium SMS subscription service.

Ultima Keyboard Pro

Jakub Vavra from the threat operations team of security firm Avast uncovered the campaign, which he dubbed Ultima SMS because one of the 1st apps he discovered being used to scam people was called Ultima Keyboard Pro, he explained in a blog post published Mon.

“The fake apps I found feature a wide range of categories such as custom keyboards, QR code scanners, video & photo editors, spam call blockers, camera filters, & games, among others,” Vavra wrote in the post.

Google Play Store

The campaign — which appears to have started in May & is ongoing — is comprised of at least 151 apps that at 1 point or another have been available on the Google Play Store; collectively they have been downloaded more than 10.5m times.

Google has since removed the flagged apps from the store, but there are likely others he warned; indeed, Google Play persistently has been plagued by fake apps spreading malware.

All are “essentially copies of the same fake app used to spread the premium SMS scam campaign,” Vavra explained, which he outlined likely indicates that 1 bad player or group is behind the entire campaign.

Generic Privacy Policy

While the apps are advertised with profiles that seem legitimate, closer inspection points to something more suspicious, Vavra observed. For instance, they tend to include generic privacy policy statements & feature basic developer profiles including generic email addresses, as well as numerous negative reviews that identify them as fraudulent.

Citing insights from mobile marketing intelligence firm Sensor Tower, he stated the campaign appears to be global, ensnaring users from more than 80 countries.

“The apps have been most downloaded by users in the Middle East, such as Egypt, Saudi Arabia, Pakistan, followed by users in the US & Poland,” Vavra explained.

How It Works

The threat player behind the campaign is spreading Ultima SMS with “numerous catchy video advertisements” posted on advertising channels of social-media sites like Facebook, Instagram & TikTok, Vavra outlined.

If an Android user takes the bait & installs one of the apps, it checks their location, International Mobile Equipment Identity (IMEI), & phone number to determine which country area code & language to use for the fraud, according to the post.

“Once the user opens the app, a screen, localised in the language their device is set to, prompts them to enter their phone number, & in some cases email address, to gain access to the app’s advertised purpose,” Vavra wrote.

Short-Coded Number

Once the user enters the details, the app subscribes him or her to a premium SMS service which sends texts to a short-coded number — each text results in a charge for the user. These charges can total upwards of $40 per month depending on the country & mobile carrier.

Instead of unlocking the apps’ advertised features, the apps will either display further SMS subscriptions options or stop working altogether, he explained.

“The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions,” Vavra wrote.

Reading the Fine Print

In fact, some of the apps actually describe this intention to users in fine print; however, not all of them extend this courtesy, “meaning many people who submitted their phone numbers into the apps might not even realise the extra charges to their phone bill are connected to the apps,” he explained.

The apps collect premium SMS charges from subscribers typically to the maximum limit possible for their particular country, according to Avast. Sometimes carriers will alert users of the excessive charges, but they also may go unnoticed for weeks or months, Vavra wrote.

Protect Yourself from Android Scams

To avoid being defrauded by the Ultima SMS con, users should follow the same common-sense vigilance and protocols for downloading & purchasing new apps: Check reviews 1st; read the fine print; do not enter a phone number unless you trust the app; & only use official app stores.

People also can disable premium SMS with their wireless carrier so threat players cannot abuse the service; this is something that is especially important to do with devices that parents give to children, as they are more likely to fall for cons using colourful & catchy ads, Vavra wrote.


“Based on some of the user accounts that left negative reviews, it looks like children are among the victims” of Ultima SMS,  making this step especially important, he concluded.

Virtual Conference November 2021

More To Explore

Community Area


Home Workouts


spaghetti Bolognese