Researchers are warning against ongoing attacks by an Android malware that subscribes victims to premium services. The malware, named SMSFactory, attempts to infect tens of thousands of users across eight countries.


SMSFactory has already targeted more than 165,000 Avast customers from May 2021 to May 2022. Most of the victims were located in Brazil, Ukraine, Argentina, Russia, and Turkey.
  • The main goal is to send premium texts and make calls to premium phone numbers. However, the malware can steal the contact lists on infected devices as a further distribution method for the threat.
  • It spreads via different methods that include push notifications, malvertising, promotional pop-ups on sites, videos offering hacks for games, or adult content access.
  • The malicious APK packages containing the malware are being hosted on unofficial app stores (such as APKMods and PaidAPKFree) which lack vetting and proper security policies for the listed products.

Stealthy approach

The app has no assigned name or icon and it removes the app icon from the screen. As a result, most victims assume that something went wrong with the installation and don't give another thought to the app.

More insights

The malicious APK comes under different names and attempts to install itself on the device.  
  • A warning is shown by Play Protect, intimating the users about the potential security risk from the file.
  • The requested permissions upon installation include access to location data, SMS, managing overlay, ability to make phone calls, send SMS, wake lock, vibrate, and use the entire screen.


SMSFactory is spreading rapidly right now and Android users are suggested to stay vigilant. They are recommended to download apps only from trusted sources. Further, try to use a minimum number of apps and make sure to read reviews before installing anything on the smartphone.

Cyware Publisher