UltimaSMS subscription fraud campaign targeted millions of Android users

UltimaSMS, a massive fraud campaign is using Android apps with million of downloads to subscribe victims to premium subscription services.

Researchers from Avast have uncovered a widespread premium SMS scam on the Google Play Store, tracked as UltimaSMS, the name comes from the first apps they discovered called Ultima Keyboard 3D Pro.

Threat actors used at least 151 Android apps with 10.5 million downloads from over 80 countries to subscribe victims to premium subscription services.

Attackers used a fake photo editor, spam call blockers, camera filter, games, and other apps and promoted them via Instagram and TikTok channels.

Most of the downloads were made by users in the Middle East, such as Egypt, Saudi Arabia, and Pakistan.

Upon installing the apps, they check their location, International Mobile Equipment Identity (IMEI), and phone number to determine which country area code and language to use for the scam. When the victim opens the app, it will be displayed a screen that requests to enter their phone number, and in some cases, email address to gain access to the app’s advertised service or product.

“Upon entering the requested details, the user is subscribed to premium SMS services that can charge upwards of $40 per month depending on the country and mobile carrier. Instead of unlocking the apps’ advertised features, which users might assume should happen, the apps will either display further SMS subscriptions options or stop working altogether.” reads the analysis published by Avast.”The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions” 

Once the app has obtained the required permissions, it subscribes the victim to SMS service that could cost up to $40 per month depending on the country and mobile carrier.

Avast shared its findings with Google that quickly removed the apps, according to the experts the operators behind this campaign are racking up thousands of dollars in charges.

Experts recommend disabling the premium SMS option for their carrier and recommend users avoid entering a phone number unless they trust the app.

Mobile users are advised to read the fine print before entering details and carefully check reviews before installing an app.

Recently, security researchers from Zimperium have uncovered a piece of malware, dubbed GriftHorse, that was used for a similar purpose and that has infected more than 10 million Android smartphones across more than 70 countries.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)

[adrotate banner=”5″]

[adrotate banner=”13″]