Millions of smartphone users fall victim to Android scam hidden in Tik-Tok advertisements

In a blog post published on Monday this week, Jaku Vavra discovered a large-scale operation to scam money out of Android users. Jakub, who works for security firm Avast as part of the threat operations team, termed this Android scam "UltimaSMS". While multiple apps were involved, “Ultima Keyboard Pro” was the first app that Jakub confirmed as being involved in the scam.

The attack appears to date back to May and has been ongoing ever since. It’s believed that at least 150 Android apps are involved - or were involved at one point or another - all of which have been available for users to download through the Google Play Store. It’s alarming, but what’s more worrying is that collectively, these applications have already been downloaded in excess of 10,500,000 times.

Since news broke, Google has pulled the affected applications from their App Store. However, Jakub has already said that there could be more malicious applications out there. In his blog post, Jakub discussed how how the affected apps were “essentially copies of the same fake app used to spread the premium SMS scam campaign.” This would appear to suggest that a single group is behind the attack.

Some of the suspicious markers that Jakub pointed out include cut-and-paste privacy policy statements, high volumes of negative reviews and develop profiles that include fake-looking email addresses for the developers.

And according to Jakub, while most users who downloaded the apps were located in the Middle East, U.S. and Poland, the scam has caught out Android users from a huge 80 countries worldwide.

How Does the UltimaSMS Android Scam Work?

The malicious party behind the UltimaSMS scam is utilising one of the most popular teen apps of this generation to do their bidding. Using enticing, upbeat video advertisements that are posted on Tik-Tok (among other social media sites, including Instagram and Facebook), Android users are encouraged to sign up for the myriad of malware-infected applications.

Once a user falls victim and installs one of these apps onto their device, it verifies their location, their device’s IMEI number and their phone number. This gives the malicious software the information it needs to effectively run the scam in the victim’s country.

If this information is confirmed, it actually subscribes the victim to a premium SMS service. From here on out, the device sends text messages to a number that charges them each and every time - and they aren’t small charges. Some victims have been snared for up to $40 or more each month, with users in some countries being hit harder.

How to Avoid Malicious Apps on Android

Unfortunately, the creative freedoms afforded to Android developers mean that Android scams of this nature are more common than those found on iOS. To avoid falling victim to an Android scam, you should be wary of the apps that you choose to download. Make sure that you always check out user reviews before pulling the trigger, and don’t give away your phone number to unverified or suspicious applications.

Ironically, some of the privacy policies detailed by these fake applications clearly set out their intentions. However, not all of them did, and far be it from most smartphone users to read through the privacy statement of every new application they install.

More importantly, be sure that you educate your kids on how to avoid Android scams. According to Jakub, “based on some of the user accounts that left negative reviews, it looks like children are among the victims.”

Chris provides copywriting services for cybersecurity copywriting and more. Get in touch for a no-commitment chat.