Criminals flooded the Google Play Store with scam applications that surreptitiously signs users into premium SMS services.
Researchers by asecurity vendor Avast discovered a campaign it has named UltimaSMS, which so far has uncovered 150 scammy apps.
According to Avast, the apps have been collectively downloaded over 10 million times, and can cost victims, who are not rewarded any type of return, upwards of $40 per month, depending on their location and mobile carrier.
“The apps are all nearly identical in terms of how they function, which leads me to believe that a single actor or group of bad actors is behind the campaign,” said Jakub Vávra, threat analyst at Avast.
Disguised as legitimate apps
Avast’s research has revealed that the apps disguise themselves as custom keyboards, QR code scanners, video editors and photo editors, spam call blockers, camera filters, and mobile games, among others.
Vávra says the apps promote themselves via ads on social media networks, such as TikTok and Instagram, which he believes is a telling sign about the size and impact of this particular campaign.
Once downloaded, the apps check the users’ device location, IMEI, and phone number to determine in which language to display the scam.
“The apps are disguised as genuine apps through well constructed app profiles on the Play Store….However, when taking a closer look, they have generic privacy policy statements, feature basic developer profiles including generic email addresses,” explains Vávra.
Avast reported the scammy apps to Google’s Security Team, which resulted in their swift removal from the Play Store.
