Researchers recently discovered a malicious Android app that can turn devices into SMS relays used to verify various accounts on the internet.
At the time of writing, the app has over 100,000 downloads on the Google Play Store and is still downloadable.
Usually, when people create an account online, they need to verify their identity via mobile phone and confirm that they are not a bot or spam user when creating the account. Users share their phone number and are sent a one-time passcode (OTP) to verify their identity.
Fake SMS app
For those who want to maintain an alias online, being able to create an account online without having to share their phone number may sound tempting, but the methods available are often dangerous for the uninitiated. sin.
Researcher Maxime Ingrao, from cybersecurity support firm Evina, recently discovered Symoo, an app that advertises itself as a “simple SMS app”. Instead, all it does is forward SMS-based OTP codes to anonymous users, which may include threat actors, to create accounts elsewhere.
When the user installs the app, it asks for the SMS permission (this doesn’t cause a warning because the app is described as an SMS app). It will then ask for the user’s phone number and if they provide it, it will display a dummy loading screen showing a progress bar.
In the background, it prompts the remote operator to send multiple two-factor authentication SMS messages, help them create accounts on various online services. After completing this stage, the application will freeze and appear to be inactive.
In fact, Ingrao discovered that Symoo shared filtered SMS data with another app, called Virtual Number, which was no longer available on the Play Store.
However, the developer has a similar app available, called “Activation PW – Virtual Number”, which provides a phone number authentication to assist anyone in creating an account. For $0.50, users can get a phone number and use it to verify accounts via SMS. This app has more than 10,000 downloads.
While there’s nothing wrong with virtual digital services, even Google offers one in the form of Google voice (opens in a new tab)Users should uninstall this particular app as soon as possible, lest they fall victim to phishing.
Through the BleepingComputer (opens in a new tab).
