KEY POINTS

  • Fake apps posing as legitimate applications are victimizing consumers
  • A new scam consists of 151 fake apps can empty consumers wallet, debit cards and online banking accounts
  • Google already removed all 151 apps from the Play Store

Search engine giant Google has confirmed that more than 150 Play Store-approved malicious software disguising as legitimate apps have been downloaded by millions of Android users across 80 countries, unaware that they contain scams that trick users into authorizing premium SMS subscriptions that charge consumers up to $40 monthly.

Following the scam's discovery, cybersecurity company Avast released a blog post providing details of the new modus operandi of threat actors and hackers. The scam campaign, dubbed UltimaSMS, consists of 151 apps, which at some point, have been available for download on the Google Play Store.

These apps have been downloaded more than 10.5 million times and are essentially copies of the same fake apps that previously spread the premium SMS scam movement. The "fake apps I found feature a wide range of categories such as custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, among others," the blog post claimed.

"The apps have been most downloaded by users in the Middle East, such as Egypt, Saudi Arabia, Pakistan, followed by users in the U.S. and Poland. Avast has traced the earliest UltimaSMS samples to May 2021 and new samples from the campaign were released earlier this month, meaning that the scam is still ongoing," Avast added.

How does this scam work? Once the user installs one of the apps, it automatically checks the location, International Mobile Equipment Identity (IMEI) and contact number to detect their country area code and language. When the user opens the app, a screen pops up with a message in the localized language requesting them to key in their phone number or email address to access the app.

As soon as the user provides the requested details, a subscription to premium SMS services that charge up to $40 per month is activated.

"Instead of unlocking the apps' advertised features, which users might assume should happen, the apps will either display further SMS subscriptions options or stop working altogether," Avast explained.

Google has confirmed the report and removed all 151 malicious apps from the Play Store. This way, new users will not be tricked by this horrible UltimaSMS scam. Unfortunately, those who have already downloaded these apps will still be in trouble until they uninstall and report the issue to their carrier to disable all premium SMS messages.

For the complete list of all 151 apps, consumers can check out the comprehensive list provided by Avast.