A fake Android app is turning victims' phones into SMS relays

Users could be sending OTP codes to criminals

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers recently discovered a malicious Android application that turns the devices into SMS relays used to verify various accounts on the internet.

At press time, the app has more than 100,000 downloads on theGoogle Play Store, and can still be downloaded.

Oftentimes, when people create online accounts, they need to verify their identities via their mobile phones and confirm they’re not bots or users spamming account creation. Users share their phone numbers and are sent a one-time passcode (OTP) which verify their identity.

Fake SMS applications

For those looking to stay pseudonymous online, being able to create accounts online without having to share their phone numbers sounds appealing, but the available methods often put innocent people at risk.

Rsearcher Maxime Ingrao, from cybersecurity support company Evina, recently discovered Symoo, an app that advertises itself as a “simple SMS application”. Instead, all it does is relay SMS-based OTP codes to anonymous users, which may include threat actors, for account creation elsewhere.

When users install the app, it asks for SMS permissions (which shouldn’t raise alarms, given that it’s described as an SMS app). It then asks for the user’s phone number, and if they provide, it will display a fake loading screen showing a progress bar.

These malicious Android apps have already been downloaded over 20 million times>Malicious apps masquerade as Android file managers to spread malware>Check out the best privacy tools around

In the background, it will prompt remote operators to send multipletwo-factor authenticationSMS messages, helping them create accounts on different online services. Once this stage is done, the app freezes, and appears to be non-functional.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In reality, Ingrao found that Symoo shares the exfiltrated SMS data with another app, called Virtual Number, which is no longer available on the Play Store.

However, the developer has a similar app available, called “Activation PW - Virtual numbers”, offering up authentic phone numbers to aid anyone with creating accounts. For $0.50, users can grab a phone number and use it to verify an account via SMS-based. This app has more than 10,000 downloads.

Though there’s nothing inherently wrong with a virtual number service, with even Google offering one in the form ofGoogle Voice, users are advised to uninstall this particular app as soon as possible, lest they become the victim of fraud.

ViaBleepingComputer.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

ChatGPT just got easier to find when you’re searching for something