A security researcher found a fake texting app on Facebook System Android secretly serves as a way to create accounts on sites such as: Microsoft, Google, Instagram, Telegram and Facebook.
The researcher said that the phone numbers of devices on which the app, which has been downloaded about 100,000 times from Android’s Google Play store, is then rented without the owners’ knowledge to obtain a one-time passcode that is usually used to verify users while creating new accounts.
While the app has an overall rating of 3.4, many user reviews say it is fake, hijacking their phones, and sending them multiple passcodes upon installation.
Symoo was discovered by Evina security researcher Maxime Ingro, who reported it to Google, but received no response from the Android team. Still at the time of writing the report Available on Google Play Store.
How does Symoo work?
When installed on the device, the app asks for permission to send and read SMS messages, which seems natural since Symoo markets itself as an “easy-to-use” texting app.
On the first screen, it asks the user to provide their phone number, after that, it displays a fake loading screen that supposedly shows the progress of downloading resources. But the process is so long that the app operators can send many text messages that are used as two-factor authentication codes to create accounts on many services, read the content of the messages, and then send them to the operators.
A website sells account creations (Fb, Google..) it uses infected phones to make the registrations with auth sms 🥷🏻
– Maxime Ingrao (@IngraoMaxime) November 28, 2022
After completing the task, the application freezes and then does not reach the main interface of the application, which prompts users to uninstall it. Meanwhile, the app has used the user’s phone number to generate fake accounts on the services. Users of the app say they have been given codes for accounts they did not create.
Since phone numbers are often the only possible way to verify accounts, people who wish to engage in illegal or anonymous activities find these pseudonymous accounts useful.
In addition, Maxim Ingro discovered that Symoo was pulling SMS data into a domain used by another app, Virtual Number, which was also present on the Google Play Store earlier, but has been removed from it.
Users of such apps on Android are advised to uninstall them, as they copy users’ SMS content to their own servers.
“Proud explorer. Freelance social media expert. Problem solver. Gamer. Extreme travel aficionado.”