A malicious Android SMS application discovered on the Google Play Store has been found to stealthily harvest text messages with the goal of creating accounts on a wide range of platforms like Facebook, Google, and WhatsApp.
The app, named Symoo (com.vanjan.sms), had over 100,000 downloads and functioned as a relay for transmitting messages to a server, which advertises an account creation service.
This is achieved by using the phone numbers associated with the infected devices as a means to gather the one-time password that’s typically sent to verify the user when setting up new accounts.
“The malware asks the phone number of the user in the first screen,” security researcher Maxime Ingrao, who discovered the malware, said, while also requesting for SMS permissions.
“Then it pretends to load the application but remains all the time on this page, it is to hide the interface of the received SMS and that the user does not see the SMS of subscriptions to the various services.”
Some of the major services illegally signed up using the phone numbers include Amazon, Discord, Facebook, Google, Instagram, KakaoTalk, Microsoft, Nike, Telegram, TikTok, Tinder, Viber, and WhatsApp, among others.
Additionally, the data collected by the malware is exfiltrated to a domain named “goomy[.]fun,” which was previously used in another malicious application called Virtual Number (com.programmatics.virtualnumber) that has since been taken down from the Play Store.
The app’s developer, Walven, has also been linked to another Android app known as ActivationPW – Virtual numbers (com.programmatics.activation) that claims to offer “virtual numbers to receive SMS verification” from more than 200 countries for less than 50 cents.
According to Ingrao, Symoo and ActivationPW represent the two ends of the fraudulent scheme, wherein the phone numbers of the hacked devices that have the former installed are employed to help users buy accounts through the latter.
Google told The Hacker News that the two apps have been removed from the Play Store and that the developer has been banned.
Source: thehackernews.com/