Google Play Store is the official app store for Android. It should be the safest among all Android app stores, but yet, it's still riddled with malicious apps.
Scammers lurk in the shadows, waiting in patience, waiting for the perfect time to ambush their victims. While Google periodically removes dangerous apps, more than plenty of malicious apps can slip through the crack, and claim a number of victims before they are found.
And this is what exactly happened, as a cyberthreat campaign called the 'UltimaSMS' has been around using fake apps that are distributed through Google's Play Store.
The goal of the campaign is to enroll victims for expensive SMS services and leak money from their plans/accounts.
A total of 151 apps that are part of the scam campaign have been found.
As reported by cybersecurity software company Avast, the scam campaign has been running for months, claiming more than 10 millions of victims.
The apps look legit, making them capable of fooling people into thinking that they're useful apps, when in fact, they are only there to scam them out of their money.
When Android users download and install one of the apps, the apps will automatically check their location, International Mobile Equipment Identity (IMEI), and phone number. This information is then used to determine which country, area code and language to use these details to fool victims.
When victims open the app, the malicious app will prompt a screen asking victims to enter their phone number, and/or email address.
Entering one's phone number will automatically subscribe that number to premium SMS service that can cost as much as $40 a month.
Due to a loophole on Google Play Store, victims may not realize that they've been subscribed to a service they don't want, because they would be would be charged weekly.
The 151 apps include games, popular keyboard apps, camera filters, spam call blockers, photo- and video-editing apps, and other utility apps.
“The apps discovered are essentially identical in structure, meaning the same base app structure is repurposed numerous times. These copies are disguised as genuine apps through well constructed app profiles on the Play Store,” the team at Avast explained.
"The profiles feature catchy photos and enticing app descriptions alongside often high review averages. However, upon closer inspection, they have generic privacy policy statements and feature basic developer profiles including generic email addresses. They also tend to have numerous negative reviews from users that correctly identified the apps as scams or have fallen for the scam."
Making matters worse, many of these apps are also advertised on Facebook, Instagram and TikTok, among others.
“The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions. While some of the apps include fine print describing this to users, not all of them do, meaning many people who submitted their phone numbers into the apps might not even realize the extra charges to their phone bill are connected to the apps,” Avast explained.
These scam SMS apps have tricked victims in more than 80 countries, with most victims coming from the UAE, Egypt, Saudi Arabia, Pakistan, the U.S. and Poland.
While Google has removed the 151 apps, there is always the chance that a similar incident will happen again.
This is why Android users need to always check app details and reviews before downloading. And while Google Play Store is not a guarantee that apps are safe, it's safer to download apps from the app store than using third-party app stores that likely to have less scrutiny.
People may also want to disable premium SMS option by contacting their carrier. Disabling premium SMS can effectively render scams like the UltimaSMS harmless.