Avast experts discovered a large-scale fraudulent campaign that has been active since May 2021, involving 151 Android apps, with a total of about 10.5 million downloads. All of these apps were used to subscribe users to premium services without their notification.
Researchers named this campaign UltimaSMS and reported that they found 80 related apps on the official Google Play store. Although Google specialists quickly responded to the researchers’ report and removed the applications from the catalog, the attackers probably managed to “earn” millions of dollars from such subscriptions.In total, 151 applications were involved in the UltimateSMS campaign.
When this app was launched for the first time, the data received from the smartphone (including location information and IMEI) was used to set the language according to the country. The app then prompted the user to enter their mobile phone number and email address, ostensibly to gain access to all functions.
After that, having received a phone number and the necessary permissions, the application subscribed victims to an SMS service costing up to $ 40 a month. Fraudsters received a percentage of this amount as “partners”.
Even worse, Avast reports that the app authors created a special system that charged victims as much as possible based on their location. After subscribing to such a paid service, the application continued to display additional parameters for the subscription, or stopped working altogether.
Experts write that, despite constant user complaints and actions from Google, the campaign was extremely successful due to the large number of applications used. Fraudsters simply used more and more applications for UltimaSMS, ensuring a constant influx of new victims.
According to Sensor Tower, users from Egypt, Saudi Arabia, Pakistan and the United Arab Emirates were the most affected by the campaign. The number of infections in these countries is estimated at millions.
A complete list of malicious applications detected by researchers is available on GitHub. The experts remind that removing the malicious application will prevent the creation of new subscriptions, but will not prevent the payment of existing ones. Therefore, victims need to contact their telecom operator and ask them to cancel all active SMS subscriptions.
Let me remind you that we also talked about the fact that Mobdro streaming app turned Android devices into proxies for attackers.
