Malicious Android app discovered powering account creation service

Malicious Android app discovered powering account creation service

​A faux Android SMS software, with 100,000 downloads on the Google Play retailer, has been found to secretly act as an SMS relay for an account creation service for websites like Microsoft, Google, Instagram, Telegram, and Fb.

A researcher says the contaminated gadgets are then rented out as “digital numbers” for relaying a one-time passcode used to confirm a person whereas creating new accounts.

Whereas the app has an total score of three.4, many person opinions complain that it’s faux, hijacks their telephones, and generates a number of OTPs (one-time passwords) upon set up.

“Faux app I simply obtain this app 4-5 instances of OTP by Google, Airtel cost, Financial institution OTP, dream11 OTP, and many others. Kind of OTP comes on the time of login,” reads one of many opinions.

Symoo app and user reviews on Google Play
Symoo app and person opinions on Google Play

Symoo was found by Evina’s safety researcher Maxime Ingrao, who reported it to Google however has but to listen to again from the Android staff. On the time of writing, the app stays out there on Google Play.


BleepingComputer has additionally contacted Google about Symoo, and we are going to replace this story as quickly as we obtain a response.

Routing 2FA codes

Upon set up on the system, the app requests entry to ship and skim SMS, which sounds regular since Symoo markets itself as an “straightforward to make use of” SMS app.

On the primary display screen, it asks the person to offer their telephone quantity; after that, it overlays a faux loading display screen that supposedly exhibits the progress of loading assets.

Nonetheless, this course of is extended, permitting the distant operators to ship a number of 2FA (two-factor authentication) SMS texts for creating accounts on numerous companies, learn their content material, and ahead it again to the operators.

When accomplished, the app will freeze, by no means reaching the promised SMS interface, so customers will usually uninstall it.

By this time, the app can have already used the Android customers’ telephone numbers to generate faux accounts on numerous on-line platforms, and reviewers say that their messages are actually crammed with one-time passcodes for accounts they by no means created.

Promoting the accounts

Since telephone numbers are sometimes the one attainable solution to confirm accounts, individuals who wish to interact in unlawful or nameless actions discover these pseudonymous accounts helpful.

Moreover, Maxime Ingrao found that the Symoo app exfiltrates SMS information to a site utilized by one other software, ‘Digital Quantity,’ that was additionally on Google Play in some unspecified time in the future however has since been eliminated.

The developer of the ‘Digital Quantity’ app additionally created one other app on Google Play referred to as ‘ActivationPW – Digital numbers,’ downloaded 10,000 instances, which provides “On-line numbers from greater than 200 nations” that you should utilize to create an account.

Utilizing this app, customers can “hire” a quantity for lower than 50 cents and, in lots of circumstances, use that quantity to confirm the account.

Activation PW mobile GUI
ActivationPW cellular GUI

Whereas it’s unconfirmed, it’s believed that the Symoo app is used to obtain and ahead OTP verification codes generated when individuals create accounts utilizing ActivationPW.

In case you are utilizing these apps, you must uninstall them, if nothing else, as a result of they copy your SMS content material to their very own servers.

Their privateness coverage additionally discloses this conduct, although they are saying it’s to “spam block and again up companies.”

“Earnings SMS (we retailer sms as a part of the spam block and again up companies with our third-party platform, cloud storage or telecom supplier. (Be aware that we don’t in any other case share these recordings with third events),” reads the Symoo privateness coverage.

Replace 11/30/2022 – A Google spokesperson has despatched BleepingComputer the next remark:

The apps recognized – Symoo (com.vanjan.sms) and ActivationPW (com.programmatics.activation) – have been faraway from Google Play and the developer has been banned.