Millions of Android Users Scammed in SMS Fraud Driven by Tik-Tok Ads

UltimaSMS leverages at least 151 apps that have been downloaded collectively more than 10 million times, to extort money through a fake premium SMS subscription service.

Threat actors are using malicious Android apps to scam users into signing up for a bogus premium SMS subscription service, which results in big charges accruing on their phone bills.

Jakub Vavra from the threat operations team of security firm Avast uncovered the campaign, which he dubbed UltimaSMS because one of the first apps he discovered being used to scam people was called Ultima Keyboard Pro, he said in a blog post published Monday.

“The fake apps I found feature a wide range of categories such as custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, among others,” Vavra wrote in the post.

Infosec Insiders Newsletter

Essentially, the campaign — which appears to have started in May and is ongoing — is comprised of at least 151 apps that at one point or another have been available on the Google Play Store; collectively they’ve been downloaded more than 10.5 million times.

Google has since removed the flagged apps from the store, but there are likely others he said; indeed, Google Play persistently has been plagued by fake apps spreading malware.

All of the offerings are “essentially copies of the same fake app used to spread the premium SMS scam campaign,” Vavra explained, which he said likely indicates that one bad actor or group is behind the entire campaign.

While the apps are advertised with profiles that seem legitimate, closer inspection points to something more suspicious, Vavra observed. For instance, they tend to include generic privacy policy statements and feature basic developer profiles including generic email addresses, as well as numerous negative reviews that identify them as fraudulent.

Citing insights from mobile marketing intelligence firm Sensor Tower, he said the campaign appears to be global, ensnaring users from more than 80 countries.

“The apps have been most downloaded by users in the Middle East, such as Egypt, Saudi Arabia, Pakistan, followed by users in the U.S. and Poland,” Vavra explained.

How It Works

The threat actor behind the campaign is spreading UltimaSMS with “numerous catchy video advertisements” posted on advertising channels of social-media sites like Facebook, Instagram and TikTok, Vavra explained.

If an Android user takes the bait and installs one of the apps, it checks their location, International Mobile Equipment Identity (IMEI), and phone number to determine which country area code and language to use for the scam, according to the post.

“Once the user opens the app, a screen, localized in the language their device is set to, prompts them to enter their phone number, and in some cases email address, to gain access to the app’s advertised purpose,” Vavra wrote.

Once the user enters the details, the app subscribes him or her to a premium SMS service which sends texts to a short-coded number — each text results in a charge for the user. These charges can total upwards of $40 per month depending on the country and mobile carrier.

And, instead of unlocking the apps’ advertised features, the apps will either display further SMS subscriptions options or stop working altogether, he explained.

“The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions,” Vavra wrote.

Benefits of Reading the Fine Print

In fact, some of the apps actually describe this intention to users in fine print; however, not all of them extend this courtesy, “meaning many people who submitted their phone numbers into the apps might not even realize the extra charges to their phone bill are connected to the apps,” he explained.

The apps collect premium SMS charges from subscribers typically to the maximum limit possible for their particular country, according to Avast. Sometimes carriers will alert users of the excessive charges, but they also may go unnoticed for weeks or months, Vavra wrote.

How to Protect Yourself from Android Scams

To avoid being defrauded by the UltimaSMS scam, users should follow the same common-sense vigilance and protocols for downloading and purchasing new apps: Check reviews first; read the fine print; don’t enter a phone number unless you trust the app; and only use official app stores.

People also can disable premium SMS with their wireless carrier so threat actors can’t abuse the service; this is something that is especially important to do with devices that parents give to children, as they are more likely to fall prey to scams using colorful and catchy ads, Vavra wrote.

Indeed, “based on some of the user accounts that left negative reviews, it looks like children are among the victims” of UltimaSMS,  making this step especially important, he observed.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.



Suggested articles