A massive fraud campaign was uncovered that is using over 150 Android apps. The apps have over 10 million downloads. The campaign is used to steal users’ money by registering subscriptions for them without their knowledge.
Researchers at Avast who discovered the campaign named it UltimaSMS. They reported to Google over 80 apps they found on the Google Play store. Google was quick to remove the apps, but the fraudsters likely made millions of dollars in fraudulent subscription charges.
In total, the campaign involved over 150 apps that pretended to be discount games, apps, and more.
Apps try to match the language of the device using the smartphone’s data, such as IMEI and location. Then the app prompts the user to enter their mobile phone number and email address to access the program’s features.
The app subscribes the victim to a monthly SMS service for $40, which the scammers get as an affiliate partner.
According to Avast, the developers of these apps try to charge their victims a max fee based on their location.
Despite the number of bad reviews that they received, most of these apps were still installed due to the sheer volume of app submissions.
By using a large number of apps for their “UltimaSMS” campaign, the scammers were able to continuously keep stealing money from victims on the Play Store even though Google regularly took down their apps.
In total, the Sensor Tower discovered that over a million users were infected in various countries, including Egypt, Pakistan, and the United Arab Emirates. In the U.S., the number of infected devices was 170,000.
Uninstalling these apps will only prevent new subscription registrations from being made, but apps will still charge the victim again. To avoid this, contact your carrier and cancel all SMS subscriptions.