Photo by Rafapress / Shutterstock.com
Evina’s cybersecurity researcher Maxime Ingrao has discovered a fake Android SMS app called Symoo with over 100,000 downloads on the Googe Play Store that’s acting as an SMS relay for an account creation service for platforms like Microsoft, Google, Instagram, Telegram and Facebook.
Ingrao has since reported the app to Google but is yet to hear anything from the Android team. The app does have an overall rating of 3.4 on the Play Store, with 192 reviews. Many reviews claim that it’s fake and generates multiple OTPs upon installation. The app is still available on Google Play Store when writing.
Since the app claims to be an SMS app, requesting permission to read and send SMS is nothing out of the ordinary. However, once the required permissions are given, users are asked for their phone numbers and then taken to a prolonged loading screen.
While the app shows this loading screen, threat actors use the victim’s phone number to create multiple accounts on the aforementioned sites and then freeze the app once they’re done. This often leads to the user being frustrated and deleting the app shortly after.
Ingrao also discovered that the app extracts all captured SMS data to an external domain used by another app called “Virtual Number”, which was previously available on Google Play Store, but has since been taken down. The developer of this app also has another app called “ActivationPW” on the Play Store, downloaded over 10,000 times, that claims to offer online numbers from more than 200 countries for rent for less than 50 cents.
It seems like ActivationPW and Symoo work in tandem to receive and forward OTP codes generated every time the former is used to create an account; it is, however, unconfirmed at the moment whether or not the two apps are linked. Symoo’s privacy policy goes as far as to state this behaviour clearly, although they claim to do so to block spam and backup messages.
In the News: Hackers hijack TikTok’s ‘invisible challenge’ trend to push malware
