Are you one of 10.5 million users victimised by this app-based SMS scam?

151 apps on the Google Play Store are part of the UltimaSMS scam.

SMS-based scams are some of the most lucrative for cybercriminals worldwide. By inadvertently signing you up to expensive text messaging services, giving you little chance to back out, criminals can make off with plenty of money. It’s an issue that’s constantly plaguing people – but a new delivery method has been uncovered that’s used by a large organised group.

Researchers at Avast have uncovered what they’ve deemed the UltimaSMS scam, propagated through the Google Play Store. The scam encompasses 151 different apps – everything from fake photo editors to games – that sign victims up for expensive premium SMS services, turning the scammers a quick profit.

Combined, the 151 apps in the scam, which was named because one of the first apps Avast’s threat operations analyst Jakub Vávra found the scam on was called Ultima Keyboard 3D Pro, have been downloaded 10.5 million times.

A global campaign

“UltimaSMS appears to be a global campaign, as according to insights from Sensor Tower, a mobile apps marketing intelligence and insights company, the apps have been downloaded by users from over 80 countries,” says Vávra. “The apps have been most downloaded by users in the Middle East, such as Egypt, Saudi Arabia, Pakistan, followed by users in the US and Poland.”

Avast has traced the earliest UltimaSMS samples to May 2021 but continued analysis of new samples from the campaign shows the scam is still ongoing, the company says.

The scam works by piggybacking on the back of a number of apps, and on install, checks where the user is based by looking at their location, phone number and International Mobile Equipment Identity (IMEI).

By using that information, the app presents localised information designed to convince – or con – the user into thinking it’s a legitimate enterprise. Users are asked to enter their phone number, and in some cases, email address to gain access to the app’s advertised purpose.

How the scam tricks you

Once you insert that information, the scammers have you ensnared. By entering those details, the user is subscribed to costly SMS text messaging services that can charge upwards of $40 per month. Rather than offering whatever feature they profess to be selling, users are instead caught in an endless loop of being resubscribed to further SMS messages.

“The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions,” says Vávra. “While some of the apps include fine print describing this to users, not all of them do, meaning many people who submitted their phone numbers into the apps might not even realise the extra charges to their phone bill are connected to the apps.

What is particularly pernicious about the UltimaSMS scam, says Vávra, is that it’s almost designed to go undiscovered for a long time, draining the victim’s bank account without them realising. “The user may be notified by their carrier of the excessive charges, but they could also go unnoticed for weeks or months,” he says.

“Affected users may dismiss the apps as nonfunctional and uninstall them, however, the SMS charges will continue and could amount up to an unpleasant sum.”

Jakub Vávra, threat operations analyst at Avast

Most concerningly, the apps that contain the scams are advertised on platforms including Facebook, Instagram and TikTok, making it more likely to con plenty of others. In order to avoid falling victim, Avast recommends remaining vigilant when downloading new apps, including checking reviews, reading all the fine print before agreeing to anything, and disabling the option to receive and send premium SMS messages with your phone provider. They also recommend that you don’t enter phone numbers in apps you don’t trust – it’s a key part of your digital identity.