Security researchers detected a global, large-scale premium SMS campaign that leverages 151 malicious Android apps downloaded 10.5 million times. The end goal of the campaign, called UltimaSMS, is to trick users into premium subscription services without their knowledge or consent.
UltimaSMS Campaign: Malicious Android Apps Promoted via Instagram, TikTok, and Facebook
According to Avast researcher Jakub Vavra, the various apps were promoted via TikTok and Instagram channels. The fake apps the researchers discovered belong to categories, such as “custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, among others.”
“UltimaSMS appears to be a global campaign, as according to insights from Sensor Tower, a mobile apps marketing intelligence and insights company, the apps have been downloaded by users from over 80 countries,” the researchers added. The prevailing number of users that downloaded the apps are in the Middle East, including countries such as Egypt, Saudi Arabia, Pakistan, followed by users in the United States and Poland. The earliest samples date back to May 2021. However, new samples of the UltimaSMS were released earlier this month, meaning that the scam operation is ongoing, Avast noted.
How does the UltimaSMS scam campaign work?
Once one of the apps is installed on a user’s Android device, it will check the device’s location, IMEI number (International Mobile Equipment Identity), and phone number. The app then “decides” what language and country area code to apply for the scam.
“Once the user opens the app, a screen, localized in the language their device is set to, prompts them to enter their phone number, and in some cases, email address to gain access to the app’s advertised purpose,” the report said.
It is also noteworthy that the campaign has been distributed through advertising channels on Facebook, Instagram, and TikTok. The numerous catchy video ads targeting users on these specific social media platforms speaks to the volume and impact of the campaign, and proves that the malicious actors behind it “are spending funds to boost downloads.”
This is not the first such campaign detected by security researchers. Zimperium zLabs recently revealed the discovery of the GriftHorse malicious campaign.
A nefarious Android trojan, called GriftHorse and hidden in an agressive mobile premium services campaign stole hundreds of millions of Euros. The trojan had been using malicious Android applications to leverage user interactions for wider spread reach and infection.