A fake Android SMS application, with 100,000 downloads on the Google Play Store, has been discovered to secretly act as an SMS relay for an account creation service for sites such as Microsoft, Google, Instagram, Telegram and Facebook.
A researcher says the infected devices are then rented out as “virtual numbers” for passing a one-time passcode used to authenticate a user when creating new accounts.
While the app has an overall rating of 3.4, many user reviews complain that it is fake, hijacks their phones, and generates multiple OTPs (one-time passwords) upon installation.
“Fake app I just download this app 4-5 times from Google OTP, Airtel payment, Bank OTP, dream11 OTP, etc. OTP type comes at the time of login,” reads one of the reviews.
Symoo was discovered by Evina’s security researcher Maxime Ingrao, who reported it to Google, but has yet to hear from the Android team. At the time of writing, the app remains available on Google Play.
.png?resize=452%2C600&ssl=1)
BleepingComputer has also contacted Google about Symoo, and we’ll update this story as soon as we receive a response.
Routing 2FA codes
When installed on the device, the app requests access to send and read SMS, which sounds normal given that Symoo markets itself as an “easy to use” SMS app.
The first screen asks the user to provide their phone number; after that it overlays a fake loading screen that supposedly shows the progress of loading resources.
However, this process takes longer, allowing the remote operators to send multiple 2FA SMS texts (two-factor authentication) for creating accounts on different services, read their contents and send them back to the operators.
When completed, the app freezes and never reaches the promised SMS interface, so users will usually delete it.
By then, the app will have already used the Android users’ phone numbers to generate fake accounts on various online platforms, and reviewers say their messages are now filled with one-time passcodes for accounts they never created.
Selling the bills
Since phone numbers are often the only way to verify accounts, people seeking to engage in illegal or anonymous activity find these pseudonymous accounts useful.
In addition, Maxime Ingrao discovered that the Symoo app exfiltrates SMS data to a domain used by another application, ‘Virtual Number’, which was once also on Google Play but has since been removed.
The developer of the “Virtual Number” app has also created another app on Google Play called “ActivationPW – Virtual numbers”, downloaded 10,000 times, which offers “Online numbers from more than 200 countries” that you can use to create a . to create an account.
This app allows users to “rent” a number for less than 50 cents and, in many cases, use that number to verify the account.
While it is unconfirmed, it is believed that the Symoo app is used to receive and forward OTP verification codes that are generated when people create accounts with ActivationPW.
If you use these apps, you should uninstall them, if nothing else, because they copy your SMS content to their own servers.
Their privacy policy also discloses this behavior, although they say it is “spam blocking and backup services”.
“Revenue SMS (We store SMS as part of the spam block and backup services with our third party platform, cloud storage or telecom provider. (Note: We do not otherwise share these recordings with third parties),” reads Symoo’s privacy policy.