 |
| Malicious Android app that uses user numbers |
Malicious Android app that uses user numbers to create accounts without their permission
A security researcher has discovered a fake Android SMS app that is being used secretly to create accounts on websites such as Microsoft, Google, Instagram, Telegram and Facebook.
The app, which has been downloaded about 100,000 times from the Google Play Store on Android, then rents out the device's phone number without the owner's knowledge to obtain a one-time password, which is typically used to authenticate users when creating new accounts, the researchers said.
Although the app has an overall rating of 3.4, many user reviews say it is fake, hijacking their phones and sending them multiple passwords during installation.
Symoo was discovered and reported to Google by security researcher Evina Maxime Ingro, but has not been heard from the Android team. At the time of this writing, it is still available on the Google Play Store.
How does Symoo work?
When the app is installed on a device, it asks for permission to send and read SMS, which seems natural since Symoo positions itself as an "easy to use" SMS app.
The first screen asks users to provide their phone number, after which a fake loading screen is displayed, purporting to show the progress of downloading the resource. But the process is so long that app operators can send several text messages that act as two-factor authentication codes to create accounts on many services, read the content of the messages, and then send them to the operator.
After the task is completed, the app crashes and then fails to access the main interface of the app, prompting the user to uninstall it. At the same time, the app uses users' phone numbers to create fake accounts for the service. App users have reported receiving codes for accounts they did not create.
Since phone numbers are often the only possible way to verify an account, people who want to engage in illegal or anonymous activities will find these pseudonymous accounts useful.
In addition, Maxim Ingro discovered that Symoo was pulling SMS data into a domain used by another app, Virtual Number, which also appeared earlier on the Google Play Store but has since been removed.
Android users are advised to uninstall these apps as they are copying the user's SMS content to their server.
Found new #Android #malware that read all the sms and send to a server 👀
— Maxime Ingrao (@IngraoMaxime) November 28, 2022
A website sells account creations (Fb, Google..) it uses infected phones to make the registrations with auth sms 🥷🏻
N°1 in new sms app in Play Store in #India it has infected 100k+ people there 👾 pic.twitter.com/VH6DHWEG4y