Malicious Android app that uses user numbers to create accounts without their permission

Malicious Android app that uses user numbers to create accounts without their permission

A security researcher has found a fake Android text messaging app that secretly acts as a way to create accounts on sites like Microsoft, Google, Instagram, Telegram and Facebook.

The researcher said that the phone numbers of devices on which the app, which has been downloaded about 100,000 times from Android’s Google Play store, is then rented without the owners’ knowledge to obtain a one-time passcode that is usually used to verify users while creating new accounts.

Malicious Android app that uses user numbers to create accounts without their permission

While the app has an overall rating of 3.4, many user reviews say it is fake, hijacking their phones, and sending them multiple passcodes upon installation.

Symoo was discovered by Evina security researcher Maxime Ingro, who reported it to Google, but received no response from the Android team. It is still available at the moment of writing the report on the Google Play Store.

How does Symoo work?

When installed on the device, the app asks for permission to send and read SMS messages, which seems natural since Symoo markets itself as an “easy-to-use” texting app.

On the first screen, it asks the user to provide their phone number, after that, it shows a fake loading screen that supposedly shows the progress of downloading resources. But the process is so long that the app operators can send many text messages that are used as two-factor authentication codes to create accounts on many services, read the content of the messages, and then send them to the operators.

After completing the task, the application freezes and then does not reach the main interface of the application, which prompts users to uninstall it. Meanwhile, the app has used the user’s phone number to generate fake accounts on the services. Users of the app say they have been given codes for accounts they did not create.

Since phone numbers are often the only possible way to verify accounts, people who wish to engage in illegal or anonymous activities find these pseudonymous accounts useful.

In addition, Maxim Ingro discovered that Symoo was pulling SMS data into a domain used by another app, Virtual Number, which was also present in the Google Play Store earlier, but has been removed from it.

Users of such applications on the Android system are advised to uninstall them; Because it copies the SMS content of the users to its own servers.