Threat actors are reportedly using malicious Android apps to scam users into signing up for fraudulent premium SMS subscription services. The scam results in victims’ racking up massive phone bill charges. The campaign is reportedly being driven by TikTok ads. Security firm Avast first uncovered the campaign, which it has named UltimaSMS. The fake apps range in nature from keyboard apps to QR code scanners, to games, to camera filters, according to Avast. At least 151 fraudulent apps are part of the campaign and have been downloaded collectively more than 10 million times.
The campaign appears to have started in May and is still active. The apps were available on the Google Play Store at some point during the duration of the campaign, and more continue to pop up as Google takes them down. The Google Play Store has been consistently plagued by fake apps spreading malware or malicious content. The apps are advertised with profiles that seem legitimate, however, closer inspection shows negative reviews and generic privacy policy statements. The campaign appears to affect more than 80 countries.
Read More: Millions of Android Users Scammed in SMS Fraud Driven by Tik-Tok Ads