Millions of Android users targeted with fake SMS subscription apps
Security researchers have uncovered a large-scale scam campaign operating on the Google Play store that is luring victims into downloading scam apps that go on to trick them into signing up for SMS subscriptions.
Security software company Avast have uncovered a massive global scam campaign designed to lure millions of smartphone users into downloading catchy-sounding apps from the Play Store that are signing up users to expensive SMS subscriptions.
Discovered this week, the scam campaign has been dubbed by Avast as UltimaSMS, named after the Ultima prefix given to a number of the offending apps. It has been in operation since at least May 2021. Avast identified over 80 offending apps available from the Google Play store, downloaded an estimated 10.5 million times.
How does the scam work?
The apps on the Play Store are given catchy names, such as Ultima Keyboard 3D Pro, Wi-Fi Password Unlock, Crime City: Revenge and Ultra Camera HD, purporting to offer users all types of entertainment and software resources.
However, upon installation, the apps would immediately divert the user to a webpage asking for their phone number and email, in order to “activate” the content of the app itself.
Sponsored Content. Continued below...
However the webpage is actually the sign-up page to a SMS subscription which charges users to receive text messages. The crooks behind the smartphone apps make money as affiliates each time a victim gives over their phone number. Some of the webpages these apps direct to can be seen below, as per Avast.
Not all of the webpages had fine print explaining that the user would be charged for entering their phone number.
After entering their phone number, users would then realise the app was useless and did not offer the features advertised.
Many of the apps have been propped up with fake reviews on the Play Store.
However, uninstalling the app does not mean the SMS subscriptions become invalid. A victim would have to contact their phone carrier to cancel all SMS subscriptions to avoid further charges.
Sponsored Content. Continued below...
Such scams may have a low success rate (because many users would work out that the apps are directing them to external webpages, and users now have to confirm SMS subscriptions) but the sheer scale of the scam campaign has meant the crooks have most likely netted a sizeable profit – even using that profit to advertise with catchy videos on social media sites such as TikTok to lure more people into downloading.
After being contacted by Avast, Google Play has since removed all known offending apps, but other similar scams may still exist, so it is important to remain vigilant.
It is estimated that over 170,000 phones in the US were infected, and over 2 millions in countries including Egypt and Saudi Arabia.
Don’t fall for these scams. If an app asks for your phone number when you install it, be especially cautious and only offer your personal details if you trust the developer of the app. If a webpage asks for your phone number, always read the fine print, and always carefully check the reviews on the Play Store before downloading.
A full list of offending apps removed from the Google Play store (though may still be available elsewhere) can be seen here.