Millions of Smartphone Users Scammed In UltimaSMS Scam

Hackers are using malicious Android apps, dubbed UltimaSMS, to trick users into signing up for a fraudulent SMS subscription service. The service eventually charges them hefty sums on their phone bills.

Jakub Vavra from Avast, who was one of the first to research the campaign, dubbed the apps UltimaSMS because the first app he discovered using this tactic was called Ultima Keyboard Pro.

“The fake apps I found feature a wide range of categories such as custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, among others,” Vavra wrote in a blog post Monday.

The UltimaSMS campaign, which started in May, is compromised of roughly 151 apps that have at one point in their lifetime been on the Google Play Store. Collectively, the apps have been downloaded 10.5 million times.

Google has removed flagged apps from the store, but it is likely there are many more hidden within, Vavra noted. Google has had a storied history with malicious apps making their way onto the Play Store for months at a time.

All of the UltimaSMS offerings are “essentially copies of the same fake app used to spread the premium SMS scam campaign,” Vavra explained, which he said likely indicates that one bad actor or group is behind the entire campaign.

Vavra observed that the apps advertised seem legitimate, but upon closer inspection, there is something more suspicious. For instance, they tend to include generic privacy policy statements and feature basic developer profiles including generic email addresses, as well as numerous negative reviews that identify them as fraudulent.

Citing insights from mobile marketing intelligence firm Sensor Tower, he said the campaign appears to be global, ensnaring users from more than 80 countries.

“The apps have been most downloaded by users in the Middle East, such as Egypt, Saudi Arabia, Pakistan, followed by users in the U.S. and Poland,” Vavra explained.

The hackers behind UltimaSMS are spreading their campaign with “numerous catchy video advertisements” posted on advertising channels of social-media sites like Facebook, Instagram and TikTok, Vavra explained.

If an Android user falls for the trick and installs one of the apps, it checks their location, International Mobile Equipment Identity (IMEI), and phone number to determine which country area code and language to use for the scam, according to the post.

“Once the user opens the app, a screen, localized in the language their device is set to, prompts them to enter their phone number, and in some cases email address, to gain access to the app’s advertised purpose,” Vavra wrote.

Once the user enters the details, the app subscribes him or her to a premium SMS service that sends texts to a short-coded number — each text results in a charge for the user. These charges can total upwards of $40 per month depending on the country and mobile carrier.

And, instead of unlocking the apps’ advertised features, the apps will either display further SMS subscriptions options or stop working altogether, he explained.

“The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions,” Vavra wrote.

Vavra points out that some of the apps actually describe their intention in the fine print, though many don’t, “meaning many people who submitted their phone numbers into the apps might not even realize the extra charges to their phone bill are connected to the apps,” he explained.

The apps collect premium SMS charges from subscribers typically to the maximum limit possible for their particular country, according to Vavra. Sometimes carriers will alert users of the excessive charges, but they also may go unnoticed for weeks or months, Vavra wrote.