Avast has been making a thorough investigation into a premium scam campaign named UltimaSMS. This campaign consisted of apps that were available to download from Google Play Store. Once installed, these apps would ask for your information to subscribe to a premium service that could cost you $40 a month.
Avast’s investigation uncovered 151 apps linked to the UltimaSMS campaign. The first was Ultima Keyboard 3D Pro, for which the campaign was named. You can check the complete list of apps on Avast’s GitHub.
In total, users downloaded the scammy apps over 10.5 million times in over 80 countries, including the US (170,000 downloads). Google has already banned all 151 flagged from the Play Store but doesn’t have the power to uninstall them from a user’s device. Users with any of the listed apps should install them immediately.
Disguised as custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, these apps would check the phone’s location, IMEI, and phone number to “determine which country area code and language to use for the scam.”
After opening the app, users would then be presented with a prompt to fill in with their phone number, and sometimes, the email address so users could supposedly access the app’s advertising features. After giving their details, users would instead subscribe to premium SMS services that charge up to $40 a month. If users tried to access the apps’ advertised features, they would be presented with more SMS subscriptions, or the app would just stop working.
Google has already done multiple cleanups on Play Store in the past, removing apps infested with Windows Malware and adware, and even stalking apps.
As Android malware becomes more common, Google has to be more restrictive about the apps entering its platform. Unlike Apple, which is known for meticulously reviewing all apps before uploading them to the App Store, Google’s app reviewing process is faster, easier to pass, and less complex. In comparison, Apple may take up to a week before deeming an app safe to use, while Google usually takes less than two days.
Maybe it’s time for Google to change its process, betting on a more robust and secure approach to ensure its users are safe from these nefarious apps.