SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Global SMS scam uncovered on Google Play Store, promoted on Tik Tok and Instagram
Tue, 2nd Nov 2021
FYI, this story is more than a year old

More than 150 premium SMS scam applications have been discovered as part of a campaign dubbed “UltimaSMS” by digital security and privacy firm Avast.

The apps are all nearly identical in structure and functionality, and can cost victims, who are not rewarded any type of return, upwards of $40 per month, depending on their location and mobile carrier.

Avast reported them to Google's Security Team, resulting in their swift removal from the store.

Last week, more than 80 apps were still available for download on the Google Play Store.

“The apps are all nearly identical in terms of how they function, which leads me to believe that a single actor or group of bad actors is behind the campaign,” says Avast threat analyst Jakub Vvra.

“The person or people behind the UltimaSMS campaign appear to be money hungry, as they are advertising the apps via Tik Tok, Instagram, and Facebook, which also speaks to the size and impact of this particular strain of scam," he says.

The apps, which have been downloaded more than 10 million times according to insights surfaced using Sensor Tower, a mobile apps marketing intelligence and insights company, disguise themselves as custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, among others. According to Sensor Tower data, the apps were being promoted via ads on social media networks, such as Tik Tok and Instagram, and have mainly been downloaded by users in the Middle East, the US, and Poland.

Once downloaded, the apps check users' device location, IMEI, and phone number to determine in which language to display the scam. When a user opens the app, they are asked to enter their phone number and in some cases, their email address as well, in order to use the apps' advertised purposes. If submitted, this step signs the user up for a premium SMS subscription, which in some cases is described in fine print text below the call to action button, but not always. The apps' advertised features are not unlocked after this step, instead further SMS subscriptions options are shown or the apps stop working altogether.

“The apps are disguised as genuine apps through well-constructed app profiles on the Play Store. These profiles feature catchy photos, with well-written descriptions, and often have high review averages," says Vvra.

"However, when taking a closer look, they have generic privacy policy statements, feature basic developer profiles including generic email addresses.

“Despite having high review averages, many have numerous negative reviews from users that correctly identified the apps as scams or have fallen for the scam. Unfortunately, children seem susceptible to these scams, based on the reviews left on the app profiles.

How users can protect themselves against Premium SMS scams

Vvra recommends mobile users first and foremost disable premium SMS options with their carriers, unless absolutely necessary, to avoid even the most cautious users from falling victim. Additionally, he advises mobile users to carefully check reviews before downloading apps, as scam apps often have boosted review averages, but poor written reviews often serve as red flags.

Furthermore, users should avoid entering personal information, such as phone numbers or email addresses. He also recommends always looking for and reading the fine print to avoid falling for scams like UltimaSMS. Finally, Vvra warns against downloading apps outside of official app stores, especially considering that many of the apps Avast discovered are still available for download outside of the Play Store.