Researchers recently discovered a malicious Android application that turns the devices into SMS relays used to verify various accounts on the internet.
At the time of writing, the app has over 100,000 downloads on the Google Play Store and is still available for download.
When people create accounts online, they often need to verify their identity through their mobile phone and confirm that they are not bots or users creating an account. Users share their phone numbers and receive a one-time passcode (OTP) that verifies their identity.
Fake SMS applications
For those who want to remain online under a pseudonym, being able to create online accounts without having to share their phone numbers sounds appealing, but the methods available often put innocent people at risk.
Researcher Maxime Ingrao, of the cybersecurity support company Evina, recently discovered Symoo, an app that advertises itself as a “simple SMS application”. Instead, it just forwards SMS-based OTP codes to anonymous users, including potential threat actors, to create an account elsewhere.
When users install the app, it asks for SMS permissions (which shouldn’t raise any alarm since it’s described as a texting app). It then asks for the user’s phone number and if they provide it, a fake loading screen is displayed with a progress bar.
In the background, it will ask remote operators to send multiple text messages with two-factor authentication, which will allow them to create accounts on various online services. Once this stage is complete, the app will crash and appear to stop working.
In fact, Ingrao discovered that Symoo shares the exfiltrated SMS data with another app, called Virtual Number, which is no longer available on the Play Store.
However, the developer has a similar app available called “Activation PW – Virtual numbers” which provides authentic phone numbers to help anyone create accounts. For $0.50, users can grab a phone number and use it to verify an account via SMS. This app has over 10,000 downloads.
While there is nothing inherently wrong with a virtual number service, even Google offers one in the form of one Google Voice (opens in new tab)users are advised to uninstall this particular app as soon as possible, otherwise they will fall victim to fraud.
Through Beeping computer (opens in new tab).