A fake Android app downloaded over 100,000 times on the Google Play store has been found to secretly act as an SMS relay for account creation. The one hundred thousand downloads have been made by users looking to create accounts on Microsoft, Google, Instagram, Telegram, and Facebook.
A researcher claims infected devices are rented out as “virtual numbers” to relay a one-time code used to verify a user.
Although the app has an overall rating of 3.4, many reviewers have been unhappy with it. They say it is fake, hijacks their devices, and generates multiple OTPs upon installation.
“Fake app. I downloaded this app four to five times using Google, Airtel payment, bank OTP, dream11 OTP, etc. Every time I try to log in, a new type of text is required,” one user said.
How Does Symoo Work?
Symoo is marketed as an easy-to-use and accessible SMS app. Upon installation, however, the malicious app requests access to send and read text messages. This may be okay because it’s what Symoo markets itself as, but it’s something to be wary of.
The first screen asks the user to enter their phone number. Once completed, a fake loading screen is overlaid and displayed to them until resources load.
This takes a lot of time, but the process accomplishes many tasks simultaneously. For example, remote operators can send multi-factor authentication SMS texts for creating accounts and reading email messages on various services and then forward them all back to the operators.
When completed, the app will freeze and never reach its promised SMS interface, so users will typically uninstall it.
If you have an Android phone, then you’re at risk. The app could have already used your phone number to create fake accounts on various online platforms, and reviews show that their messages are now filled with one-time passcodes for accounts you never made.
People who want to engage in illegal or anonymous activities can use pseudonymous accounts if they’re going to use phone numbers as verification.
It’s important to note that the Symoo app has been advertising on Instagram, claiming more than 300 million installs.
The Virtual Number developer also created another app called ‘ActivationPW – Virtual Numbers,’ downloaded 10,000 times, which offers “Online numbers from more than 200 countries.” This can be used to create an account.
With this app, you can rent a phone number for less than 50 cents and use it for verification purposes.
The lack of confirmation leaves only speculation, but the Symoo app is suspected to be used with ActivationPW.
If you are using these apps, you should uninstall them for your own sake. This is because they copy your SMS content to their server, and you have no control over it.
Their privacy policy states they may share information with third parties, such as “spam blockers” and “backup services.”
Symoo stores SMS data and will back it up with whichever service you require: cloud storage or a telecom provider. Note that Symoo does not otherwise share your recordings with any third party.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.