A fake Android app is turning victims' phones into SMS relays

(Image credit: Future)

Researchers recently discovered a malicious Android application that turns the devices into SMS relays used to verify various accounts on the internet.

At press time, the app has more than 100,000 downloads on the Google Play Store, and can still be downloaded.

Oftentimes, when people create online accounts, they need to verify their identities via their mobile phones and confirm they’re not bots or users spamming account creation. Users share their phone numbers and are sent a one-time passcode (OTP) which verify their identity.

Fake SMS applications

For those looking to stay pseudonymous online, being able to create accounts online without having to share their phone numbers sounds appealing, but the available methods often put innocent people at risk.

Rsearcher Maxime Ingrao, from cybersecurity support company Evina, recently discovered Symoo, an app that advertises itself as a “simple SMS application”. Instead, all it does is relay SMS-based OTP codes to anonymous users, which may include threat actors, for account creation elsewhere.

When users install the app, it asks for SMS permissions (which shouldn’t raise alarms, given that it’s described as an SMS app). It then asks for the user’s phone number, and if they provide, it will display a fake loading screen showing a progress bar.

> These malicious Android apps have already been downloaded over 20 million times

> Malicious apps masquerade as Android file managers to spread malware

> Check out the best privacy tools around

In the background, it will prompt remote operators to send multiple two-factor authentication SMS messages, helping them create accounts on different online services. Once this stage is done, the app freezes, and appears to be non-functional.

In reality, Ingrao found that Symoo shares the exfiltrated SMS data with another app, called Virtual Number, which is no longer available on the Play Store.

However, the developer has a similar app available, called "Activation PW - Virtual numbers", offering up authentic phone numbers to aid anyone with creating accounts. For $0.50, users can grab a phone number and use it to verify an account via SMS-based. This app has more than 10,000 downloads.

Though there's nothing inherently wrong with a virtual number service, with even Google offering one in the form of Google Voice, users are advised to uninstall this particular app as soon as possible, lest they become the victim of fraud.

Check out our list of the best identity theft protection tools right now

Via BleepingComputer.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.