Fake Android app turns victims' phones into SMS repeaters

Fake Android app turns victims' phones into SMS repeaters

Researchers recently discovered a rogue Android app that turns devices into SMS repeaters that are used to verify various accounts on the Internet.

At the time of publishing, the app has over 100 downloads on the Google Play Store and is still available for download.

Often when people create accounts online, they need to verify their identity through their cell phones and confirm that they are not bots or spamming users upon account creation. Users share their phone numbers and receive a one-time password (OTP) that verifies their identity.

Fake SMS Apps

For those looking to stay online under a pseudonym, being able to create online accounts without having to share their phone numbers sounds appealing, but the methods available often put innocent people at risk.

Researcher Maxime Ingrao, from cybersecurity support firm Evina, recently discovered Symoo, an app that bills itself as a "simple SMS app." Instead, all he does is transmit SMS-based OTP codes to anonymous users, who may include threat actors, for account creation elsewhere.

When users install the app, it asks for SMS permissions (which shouldn't trigger any alarms, since it's described as an SMS app). It then asks for the user's phone number and if provided, it will display a fake loading screen showing a progress bar.

In the background, it will ask remote operators to send several two-factor authentication SMS messages, which will help them create accounts on different online services. After completing this step, the app crashes and doesn't seem to work.

In fact, Ingrao discovered that Symoo shares extracted SMS data with another app, called Virtual Number, which is no longer available on the Play Store.

However, the developer has a similar app available called "PW Activation - Virtual Numbers" that offers genuine phone numbers to help anyone create accounts. For €0.50, users can enter a phone number and use it to verify an account via SMS. This app has more than 10.000 downloads.

While there is nothing inherently wrong with a virtual number service, even though Google offers one in the form of Google Voice(Opens in a new tab), users are advised to uninstall this particular app as soon as possible, so that they do not become victims of fraud. .

Via BleepingComputer (Opens in a new tab).