151 Android Apps Subscribed Users to Paid Services Without Consent

Security experts at Avast have uncovered a large-scale scam campaign, active since May 2021, involving more than 150 Android apps that were collectively downloaded about 10.5 million times. All of these apps were used to subscribe users to premium services without their knowledge.

The researchers named this campaign UltimaSMS and reported finding 80 related apps in the official Google Play Store. Although Google specialists responded quickly to the researchers’ report and removed the apps from the catalog, the scammers likely managed to make millions of dollars from these subscriptions before the takedown.

In total, 151 apps were involved in the UltimaSMS campaign. The malware disguised itself as games, customizable keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and more.

How the Scam Worked

When first launched, these apps used data obtained from the smartphone (including location information and IMEI) to set the language according to the user’s country. The app would then prompt the user to enter their mobile phone number and email address, supposedly to unlock all features.

After obtaining the phone number and necessary permissions, the app would subscribe victims to an SMS service costing up to $40 per month. The scammers received a percentage of this amount as “partners.” Worse yet, Avast reports that the app creators developed a special system to charge victims the maximum possible amount based on their location. After subscribing the user to a paid service, the app would either continue to display additional subscription options or stop working altogether.

Widespread Impact

Experts note that despite constant user complaints and Google’s actions, the campaign was extremely successful due to the large number of apps involved. The scammers simply kept adding new apps to UltimaSMS, ensuring a steady stream of new victims.

According to Sensor Tower, users in Egypt, Saudi Arabia, Pakistan, and the UAE were hit the hardest by this campaign, with millions of infections reported in these countries.

What to Do If You’re Affected

The full list of malicious apps discovered by researchers is available on GitHub. Experts remind users that deleting the malicious app will prevent new subscriptions, but it will not stop payments for existing ones. If you have been affected, you should contact your mobile carrier and ask them to cancel all active SMS subscriptions.