Prague, Czech Republic, October 25, 2021 - Avast (LSE:AVST), a global leader in digital security and privacy, today announced the discovery of more than 150 premium SMS scam applications, part of a campaign Avast has dubbed “UltimaSMS”. The apps are all nearly identical in structure and functionality, and can cost victims, who are not rewarded any type of return, upwards of $40 per month, depending on their location and mobile carrier. Last week, more than 80 apps were still available for download on the Google Play Store. Avast reported them to Google’s Security Team, resulting in their swift removal from the store. According to Avast’s mobile threat intelligence platform, Apklab.io, the remaining 70 apps had also previously been available on the Play Store. The apps, which have been downloaded more than 10 million times according to insights surfaced using Sensor Tower, a mobile apps marketing intelligence and insights company, disguise themselves as custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, among others. According to Sensor Tower data, the apps were being promoted via ads on social media networks, such as Tik Tok and Instagram, and have mainly been downloaded by users in the Middle East, the US, and Poland.
“The apps are all nearly identical in terms of how they function, which leads me to believe that a single actor or group of bad actors is behind the campaign,” said Jakub Vávra, threat analyst at Avast. “The person or people behind the UltimaSMS campaign appear to be money hungry, as they are advertising the apps via Tik Tok, Instagram, and Facebook, which also speaks to the size and impact of this particular strain of scam.”
Once downloaded, the apps check users’ device location, IMEI, and phone number to determine in which language to display the scam. When a user opens the app, they are asked to enter their phone number and in some cases, their email address as well, in order to use the apps’ advertised purposes. If submitted, this step signs the user up for a premium SMS subscription, which in some cases is described in fine print text below the call to action button, but not always. The apps’ advertised features are not unlocked after this step, instead, further SMS subscriptions options are shown or the apps stop working altogether.
“The apps are disguised as genuine apps through well-constructed app profiles on the Play Store. These profiles feature catchy photos, with well-written descriptions, and often have high review averages. However, when taking a closer look, they have generic privacy policy statements, feature basic developer profiles including generic email addresses,” explained Jakub Vávra. “Despite having high review averages, many have numerous negative reviews from users that correctly identified the apps as scams or have fallen for the scam. Unfortunately, children seem susceptible to these scams, based on the reviews left on the app profiles.”
How users can protect themselves against Premium SMS scams
Jakub Vávra recommends mobile users first and foremost disable premium SMS options with their carriers, unless absolutely necessary, to avoid even the most cautious users from falling victim. Additionally, he advises mobile users to carefully check reviews before downloading apps, as scam apps often have boosted review averages, but poor written reviews often serve as red flags. Furthermore, users should avoid entering personal information, such as phone numbers or email addresses. He also recommends always looking for and reading the fine print to avoid falling for scams like UltimaSMS. Finally, Jakub warns against downloading apps outside of official app stores, especially considering that many of the apps Avast discovered are still available for download outside of the Play Store.
The full list of the UltimaSMS apps Avast discovered can be found here.
