Google Play Store is being flooded with SMS scam apps

Scammy apps also advertised on TikTok and Instagram

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Criminals flooded theGoogle Play Storewith scam applications that surreptitiously signs users into premium SMS services.

Researchers by asecurity vendorAvastdiscovered a campaign it has named UltimaSMS, which so far has uncovered 150 scammy apps.

According to Avast, the apps have been collectively downloaded over 10 million times, and can cost victims, who are not rewarded any type of return, upwards of $40 per month, depending on their location andmobile carrier.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“The apps are all nearly identical in terms of how they function, which leads me to believe that a single actor or group of bad actors is behind the campaign,” said Jakub Vávra, threat analyst at Avast.

Disguised as legitimate apps

Avast’s research has revealed that the apps disguise themselves as custom keyboards,QR code scanners,video editorsandphoto editors, spam call blockers, camera filters, andmobile games, among others.

Vávra says the apps promote themselves via ads onsocial medianetworks, such asTikTokandInstagram, which he believes is a telling sign about the size and impact of this particular campaign.

Once downloaded, the apps check the users’ device location, IMEI, and phone number to determine in which language to display the scam.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The apps are disguised as genuine apps through well constructed app profiles on thePlay Store….However, when taking a closer look, they have generic privacy policy statements, feature basic developer profiles including generic email addresses,” explains Vávra.

Avast reported the scammy apps toGoogle’s Security Team, which resulted in their swift removal from the Play Store.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Apple iMac 24-inch M4 (2024) review: the best, and most colorful, all-in-one computer levels up