A fake photo editor, camera filter, games and other apps promoted via Instagram and TikTok channels
Last week, I reported 80 apps belonging to a premium SMS scam campaign, which signs victims up for expensive premium SMS services that earn a bad actor or actors money while ultimately leaving victims completely empty-handed, to Google’s Security Team. This led to their swift removal from the Google Play Store. The apps that I discovered are part of the UltimaSMS campaign, consisting of 151 apps that at one point or another had been available for download on the Google Play Store. These apps have been downloaded more than 10.5 million times, and are nearly identical in structure and functionality; essentially copies of the same fake app used to spread the premium SMS scam campaign. This leads me to believe that one bad actor or group is behind the entire campaign. I have dubbed the campaign “UltimaSMS”, because one of the first apps I discovered was called Ultima Keyboard 3D Pro.
The fake apps I found feature a wide range of categories such as custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, among others. UltimaSMS appears to be a global campaign, as according to insights from Sensor Tower, a mobile apps marketing intelligence and insights company, the apps have been downloaded by users from over 80 countries. The apps have been most downloaded by users in the Middle East, such as Egypt, Saudi Arabia, Pakistan, followed by users in the US and Poland. Avast has traced the earliest UltimaSMS samples to May 2021 and new samples from the campaign were released earlier this month, meaning that the scam is still ongoing.
The above table shows the top 10 countries where the apps have been downloaded,
according to Sensor Tower
When a user installs one of the apps, the app checks their location, International Mobile Equipment Identity (IMEI), and phone number to determine which country area code and language to use for the scam. Once the user opens the app, a screen, localized in the language their device is set to, prompts them to enter their phone number, and in some cases, email address to gain access to the app’s advertised purpose.
Some of the many prompts that users can encounter upon opening the apps. They differ based on the country and are localized. Not all of them include fine print warning users’ of the potential charges.
Upon entering the requested details, the user is subscribed to premium SMS services that can charge upwards of $40 per month depending on the country and mobile carrier. Instead of unlocking the apps’ advertised features, which users might assume should happen, the apps will either display further SMS subscriptions options or stop working altogether. The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions. While some of the apps include fine print describing this to users, not all of them do, meaning many people who submitted their phone numbers into the apps might not even realize the extra charges to their phone bill are connected to the apps.
After entering a phone number and/or email address, the apps will continue to display further SMS subscriptions or stop working altogether
Once subscribed, the premium SMS are charged weekly and, from what I can tell, appear to be the maximum possible amount that can be charged in the country the user is from. Many countries limit the amount of premium SMS charges that can occur within a week. The user may be notified by their carrier of the excessive charges, but they could also go unnoticed for weeks or months. Affected users may dismiss the apps as nonfunctional and uninstall them, however, the SMS charges will continue and could amount up to an unpleasant sum.
Users often correctly recognize the scam apps in reviews
UltimaSMS has been propagated through advertising channels on popular social media sites such as Facebook, Instagram and TikTok, as seen with other recent scams and cases of adware. There are numerous catchy video advertisements targeting users on these social media platforms. It speaks to the size and impact of this particular strain of scam apps, as the malicious actors are spending funds to boost downloads. Premium SMS scams are increasingly prevalent as evidenced by Zimperium’s reporting of GriftHorse, for example. In fact, these types of scams are not new at all, they appear to just be making a comeback. Years ago there were malware families that would secretly use dial-up modems to dial-up premium services, racking up thousands of dollars in charges.
Advert shown on Facebook for the Projector HD/AR Video Editor app
Avast Threat Labs researchers discovered a zero-day vulnerability when it was utilized in attacks on Avast users in the Middle East. After examining the malware and the tactics used in the attacks, the researchers determined that they were carried out by a spyware group known as Candiru.
Since learning of the Cancer Girl scam, Avast researchers have blocked all of the related domains that they were able to find and protected almost 1,000 users in just 48 hours.