A fake Android SMS application, with 100,000 downloads on the Google Play store, has been discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook.
A researcher says the infected devices are then rented out as “virtual numbers” for relaying a one-time passcode used to verify a user while creating new accounts.
While the app has an overall rating of 3.4, many user reviews complain that it is fake, hijacks their phones, and generates multiple OTPs (one-time passwords) upon installation.
“Fake app I just download this app 4-5 times of OTP by Google, Airtel payment, Bank OTP, dream11 OTP, etc. Type of OTP comes at the time of login,” reads one of the reviews.
Symoo was discovered by Evina’s security researcher Maxime Ingrao, who reported it to Google but has yet to hear back from the Android team. At the time of writing, the app remains available on Google Play.
BleepingComputer has also contacted Google about Symoo, and we will update this story as soon as we receive a response.
Routing 2FA codes
Upon installation on the device, the app requests access to send and read SMS, which sounds normal since Symoo markets itself as an “easy to use” SMS app.
On the first screen, it asks the user to provide their phone number; after that, it overlays a fake loading screen that supposedly shows the progress of loading resources.
However, this process is prolonged, allowing the remote operators to send multiple 2FA (two-factor authentication) SMS texts for creating accounts on various services, read their content, and forward it back to the operators.
When completed, the app will freeze, never reaching the promised SMS interface, so users will typically uninstall it.
By this time, the app will have already used the Android users’ phone numbers to generate fake accounts on various online platforms, and reviewers say that their messages are now filled with one-time passcodes for accounts they never created.
Selling the accounts
Since phone numbers are often the only possible way to verify accounts, people who want to engage in illegal or anonymous activities find these pseudonymous accounts useful.
Additionally, Maxime Ingrao discovered that the Symoo app exfiltrates SMS data to a domain used by another application, ‘Virtual Number,’ that was also on Google Play at some point but has since been removed.
The developer of the ‘Virtual Number’ app also created another app on Google Play called ‘ActivationPW – Virtual numbers,’ downloaded 10,000 times, which offers “Online numbers from more than 200 countries” that you can use to create an account.
Using this app, users can “rent” a number for less than 50 cents and, in many cases, use that number to verify the account.
While it is unconfirmed, it is believed that the Symoo app is used to receive and forward OTP verification codes generated when people create accounts using ActivationPW.
If you are using these apps, you should uninstall them, if nothing else, because they copy your SMS content to their own servers.
Their privacy policy also discloses this behavior, though they say it is to “spam block and back up services.”
“Income SMS (we store sms as part of the spam block and back up services with our third-party platform, cloud storage or telecom provider. (Note that we do not otherwise share these recordings with third parties),” reads the Symoo privacy policy.
