Go to listing page

Android App Symoo Exfiltrates SMS Data for Fake Account Creation

Android App Symoo Exfiltrates SMS Data for Fake Account Creation
Hackers often create malicious applications capable of bypassing Google's security checks on the Play Store. A researcher has identified one such bogus Android application Symoo with 100,000 downloads on the Google Play store.

The fake app

Evina’s security researcher Maxime Ingrao identified and disclosed the fake app, called Symoo, which has an overall rating of 3.4. However, the app secretly acts as an SMS relay for an account creation service for various sites.
  • It disguises itself as an SMS manager app and upon installation, it requests access to phone numbers and permission to send and read messages from victims' devices.
  • Subsequently, it shows a fake loading screen and secretly allows the remote operators to send numerous OTP verification requests from services such as Microsoft, Google, Instagram, Telegram, and Facebook and apps such as Dream 11 and Airtel Payments.
  • The app reads the content and forwards it back to the operators. This content is used for creating accounts on various services. Once the installation is complete, the app will freeze and become non-functional.

The infected devices are rented out as virtual numbers for relaying an OTP to verify new account creation.

More apps involved

According to the experts, Symoo was sending stolen SMS data to a domain used by an app named Virtual Number (no more available on Google Play).
  • When this app was removed by Google, Virtual Number developers created another app called ‘ActivationPW – Virtual numbers’ which is still available on Google Play.
  • It has been downloaded 10,000 times, and offers online numbers on rent for as low as 50 cents, from more than 200 countries. Anyone can use these numbers to create an account and verify it.

Researchers believe that Symoo is used (in the backend) to receive and forward OTP verification codes generated when people create accounts using ActivationPW.

Conclusion

The presence of apps such as Symoo, Virtual Number, and ActivationPW – Virtual numbers, even if briefly, demonstrates how hackers deploy numerous techniques to evade detection by Google. Even if Google removes such apps from the Play store, it is clear that more attempts will be made to bypass the security and spread apps containing malicious code. To protect against such threats, users are recommended to be cautious while downloading an app, read reviews, and reporting suspicious apps.
Cyware Publisher

Publisher

Cyware