A new app has been discovered that, under the guise of an SMS manager app, uses your phone number as a nest to get a bunch of two-factor authentication codes and create fake accounts with those malicious SMS. To give an idea of the magnitude of the people reached, it already had more than 100,000 downloads.
This vulnerability has been discovered by Maxime Ingrao, a cybersecurity researcher at EvinaTech. In addition to its danger, it is dangerously linked with other dangerous apps to create an entire ecosystem of fake account creation.
This app creates fake accounts via SMS
Upon installation on the device, the Symoo app requests access to send and read SMS, which sounds normal since it is marketed as an “easy to use” SMS management app. On the first screen, it asks the user to provide their phone number and after that, it overlays a fake loading screen that supposedly shows the progress of loading resources.
Maxime Ingrao@IngraoMaximeFound new #Android #malware that read all the sms and send to a server 👀A website sells account creations (Fb, Google…) it uses infected phones to make the registrations with auth sms 🥷🏻
N°1 in new sms app in Play Store in #India it has infected 100k+ people there 👾 https://t.co/VH6DHWEG4y
November 28, 2022 • 2:41 PM65
5
However, this process takes time, allowing remote operators to send multiple 2FA (two-factor authentication) SMS messages to create accounts on various services, read their content, and forward it to criminals.
When the process is complete, all traces of it will be automatically deleted, the app will freeze and never reach the promised SMS interface, so users will often uninstall it out of the blue thinking it doesn’t work and not knowing what they’ve fallen victim to.
By that time, the app will have already used the phone numbers of Android users to generate fake accounts on various online platforms and even some of the users who have left their rating comments on the Play Store say that their message tray now it’s full of unique access codes for accounts they never created.
Interconnected with other Play Store apps
Considering that having a valid phone number on which to receive a one-time code is often the only possible way to verify the creation of a new account , people who want to engage in illegal or anonymous activities find these accounts useful. anonymous files created by applications of this type.
In addition, Maxime Ingrao discovered that the Symoo application extracts data from SMS to the domain goomy[dot]fun. With a check on VirusTotal, it turns out that this domain was used by an app called VirtualNumber that was on Google Play at one time, but has since been removed from the Play Store.
The developer of the ‘Virtual Number’ app also created another app on Google Play called ‘ActivationPW – Virtual Numbers’, downloaded 10,000 times, which offers “online numbers from over 200 countries” that you can use to create an account without having to enter your phone number. Using this app, users can “rent” a phone number for less than a dollar and, in many cases, use that number to verify the account. It seems that everything fits, right?
At the time of writing these lines, the Symoo app is still on the Google Play Store. Despite Google’s best efforts, its Android Play Store is still a hotbed for all sorts of malware.
Although the app store is carefully monitored, moderators can’t always detect these apps before they’re released, though they will try to remove the threat as soon as possible. This application has already been reported, so it is expected that, with the security report of