Mobile phones, 01.12.2022, 11:00 AM
A malicious Android SMS app discovered in the Google Play Store surreptitiously collects messages with OTP (one-time) passwords used to create accounts on a wide range of platforms such as Facebook, Google and WhatsApp.
Before it was removed from the Play Store, the Symoo app (com.vanjan.sms) had more than 100,000 downloads. It functions as a relay for sending messages to the server, which is advertised as an account creation service.
Infected devices are rented as “virtual numbers” for one-time codes that are sent for verification when creating new accounts.
The app has an overall rating of 3.4, but in reviews, many users complain that the app is fake, that it downloads their phones and generates OTPs (One Time Codes) after installation.
After installation on the device, the application requires access to send and read SMS, which seems legitimate since Symoo presents itself as an “easy-to-use” SMS application.
As Maksim Ingrao explained, security researcher who discovered this app, the user is asked to enter their phone number on the first screen.
“Then it is [malver] pretends to load the application, but remains on this page all the time to hide the interface of the received SMS and so that the user does not see SMS subscriptions to different services”, says Ingrao.
The process of allegedly loading the app is extended, allowing operators to send multiple 2FA (two-factor authentication) SMS messages to create accounts on different services and read their contents.
Once that’s done, the app will freeze and never show the promised SMS interface, so users usually uninstall it after that.
Until then, the app will use the user’s phone number to generate fake accounts on various online platforms, with users reporting in reviews that many of their messages include one-time passwords for accounts they never created.
Since phone numbers are often necessary for account verification, these fake accounts can be very useful.
Some of the platforms where accounts were illegally registered using hijacked phone numbers include Amazon, Discord, Facebook, Google, Instagram, KakaoTalk, Microsoft, Nike, Telegram, TikTok, Tinder, Viber and WhatsApp, among others.
Ingrao also discovered that the SMS data collected by the malware is exfiltrated to the domain “goomy[.]fun”, which was previously used in another malicious app called Virtual Number (com.programmatics.virtualnumber), which was also available on Google Play for a while.
The app’s developer, Walven, is also linked to another Android app called ActivationPW – Virtual numbers (com.programmatics.activation), which has had 10,000 downloads, and offers “virtual numbers for SMS verification” from over 200 countries for less from 50 cents.
Although not confirmed, it is believed that the Symoo app is used to receive and forward OTP verification codes generated when people create accounts using ActivationPW.
The developer of these apps is blocked from the Google Play Store.