Malicious Android app hiding within safe apps

The malicious Android app found the account creation service running

A fake Android SMS app, with 100,000 downloads on the Google Play Store, was discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram and Facebook.

One researcher says infected devices are then rented out as “virtual numbers” to relay a one-time passcode to verify a user while creating new accounts.

While the app has an overall rating of 3.4, many user reviews complain that it is fake, hijacks their phones, and generates multiple one-time passwords (OTPs) upon installation.

“Fake app, I downloaded this app 4-5 times OTP from Google, Airtel pay, Bank OTP, dream11 OTP etc OTP type comes at login time,” reads one review.

Symoo app and user reviews on Google Play
Symoo app and user reviews on Google Play

Symoo was discovered by security researcher Evina Maxime Ingrao, who reported it to Google but received no response from the Android team. At the time of writing, the app is still available on Google Play.


BleepingComputer has also contacted Google about Symoo, and we’ll update this story as soon as we hear back.

Forwarding 2FA codes

When installed on the device, the app asks for access to send and read SMS, which seems natural since Symoo markets itself as an “easy-to-use” SMS app.

On the first screen, it asks the user to provide their phone number; After that, it overlays a fake loading screen that supposedly shows the progress of loading resources.

However, this process is lengthy, allowing remote operators to send multiple 2FA (two-factor authentication) SMS texts to create accounts on various services, read their content, and forward them to operators.

When it is completed, the application will freeze, and it will never reach the promised SMS interface, so users will usually uninstall it.

By this time, the app will have already used Android users’ phone numbers to create fake accounts on several online platforms, and reviewers say their messages are now filled with one-time passcodes for accounts they never created.

Sell ​​accounts

Since phone numbers are often the only possible way to verify accounts, people who wish to engage in illegal or anonymous activities find these pseudonymous accounts useful.

In addition, Maxime Ingrao has discovered that the Symoo app is pulling SMS data into a domain used by another app, “Virtual Number”, which was also on Google Play at one point but has since been removed.

The developer of the “Virtual Number” app has also created another app on Google Play called “ActivationPW – Virtual number”, downloaded 10,000 times, that provides “online numbers from 200+ countries” that you can use to create an account.

With this app, users can “rent” a number for as little as 50 cents and, in many cases, use that number to verify the account.

Activation PW mobile GUI
Activation PW mobile GUI

While unconfirmed, it is believed that the Symoo app is used to receive and forward OTP verification codes generated when people create accounts with ActivationPW.

If you use these apps, you should uninstall them, if nothing else, because they copy your SMS content to their own servers.

Their privacy policy also discloses this behavior, although they say it is intended to “block spam and backup services.”

“SMS Income (We store SMS messages as part of spam blocking and backup services through our third party platform, cloud storage, or telecom provider. (Note that we do not share these recordings with third parties),” Symoo reads privacy policy.

#malicious #Android #app #account #creation #service #running

Leave a Comment

Your email address will not be published. Required fields are marked *