Despite only offering updates via official channels, over 10 million Samsung owners installed a scam app claiming to offer OEM builds of the latest Android OS. The “Updates for Samsung” app masqueraded as a one-stop shop for OS updates. Instead, it redirected you to an ad farm that would then charge real money to download firmware updates.

In a report by CSIS Security Group (via The Next Web), they claim that more than 10 million people downloaded and installed the app on their Samsung phones. Despite this severely dodgy practice, the app is still live on the Google Play Store.

[Update 07/08]: The app has now been pulled from the Google Play Store after The Verge contacted Google and confirmed that the app has been “suspended” for violating its Play Store policies.

Just last week, the team behind the app, Updato, told BleepingComputer that it was pulling the app itself to “remove the firmware service portion and non-Google payments.” They remained adamant that their app still offering “convenience to [their] audience” though.

Considering that over 10 million downloads were amassed since the application was launched six years ago. Even if only a small portion were duped into paying for free OTA updates, that would be a sizeable volume of cash. At least, for now, you need not worry if your friends or relatives are being scammed for free OTA updates.

The app is stuffed with ads, but by allowing you to search via the “Download Firmware” section, it’s easy to see why you could be duped. The app developers are not only duping owners, but they are also distributing Samsung firmware without any affiliation with Samsung — no doubt illegally.

An annual subscription of $34.99 gives anyone using the app access to all of the firmware downloads for their device. Of course, all of these updates are available for free through official Samsung channels. The scammers are not using the official Google Play subscriptions protocol. Instead, the app simply asks for your credit card information and sends it to an API endpoint via updato[dot]com over HTTPS.

The app does offer a “free” tier for firmware downloads, but only allows download speeds of 56 Kbps in an attempt to funnel unsuspecting people into the paid tier. Many reviewers have noted that at this speed, the download will time out or fail after a little while.

CSIS’s report also points out that the counterfeit application even offers bogus SIM unlocking for $19.99. Again, payment is made via an external payment method rather than Google Play subscriptions.

While this app doesn’t install any malware on your device, it is still a very shady app developed to help make wallets lighter around the world. It may be worth checking with your friends and relatives to see if they are paying for free firmware updates on their Samsung phones. It’s a devilish scam that many have fallen for who want Samsung phone updates.

More on Samsung:

FTC: We use income earning auto affiliate links. More.

Check out 9to5Google on YouTube for more news: