Millions of Android Users Fall Prey to Premium SMS Scam

Close up of a smartphone screen with the Play Store Logo in focus

A cybersecurity researcher has uncovered an SMS scam, known as the UltimaSMS campaign, that has potentially affected millions of Android users. The campaign relies on infected apps to sign up victims to a premium SMS service that charges over $40 a month.

Jakub Vavra, Threat Operations Analyst at cybersecurity firm Avast, discovered the campaign, which involved 151 malicious apps. These apps were available “at one point or another” on the Google Play Store. According to Vavra, the infected apps have been downloaded over 10.5 million times to date.

Vavra also said the apps are nearly identical, and they all aim to sign up users to the SMS service. The campaign appears to be global, and the malicious apps cover a wide range of categories. Vavra said some of the categories he found include:

  • custom keyboards
  • QR code scanners
  • video and photo editors
  • spam call blockers
  • gaming applications
  • camera filters

Avast believes that the campaign is still ongoing. Read on to learn about how the scam works, and what you can do to protect yourself.

How Does the Premium SMS Scam Work?

The campaign is spread through video advertisements on popular social media platforms, such as Facebook, Instagram, and TikTok.

Vavra said that once a user installs one of the malicious apps, it checks the device’s location, phone number, and International Mobile Equipment Identity (IMEI). This information is used to find the country code and language to carry out the scam.

The user is then prompted to enter certain contact details to gain access to the app’s features. Once this is done, the app subscribes the user to the premium SMS service. This sends texts to a short-coded number and results in a charge of over $40 per month for users. This amount can change based on the country and service provider.

Unsurprisingly, after subscribing the user to this service, the app does not provide any of its advertised features. Instead, it will either display other subscriptions options or cease to work completely. Vavra says that the only purpose of these apps is to sign up users for premium SMS subscriptions.

What Can You Do to Protect Yourself?

The best way to protect yourself from this scam is by following basic security protocols. These are the same vigilance measures that one should take before downloading any new app. Some important steps are listed below for reference:

  1. Be sure to check reviews first.
  2. It is advised to read the fine print.
  3. Avoid entering a phone number unless you trust the app.
  4. Only use official app stores and avoid third-party sites.

Additionally, you can protect yourself by disabling premium SMS by contacting your wireless carrier. That way, malicious actors cannot abuse this service. Vavra says that young children are susceptible to the campaign since it is heavily advertised on TikTok and Instagram. Therefore, parents are advised to disable premium SMS on their children’s devices.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.