The Google Play Store has been uncovered to be home to a malicious Android SMS software that secretly harvests text messages with the intention of opening accounts on numerous websites and services, including Facebook, Google, and WhatsApp.
Over 100,000 people downloaded the Symoo app (com.vanjan.sms), which served as a relay for messages to be sent to a server that promotes an account creation service.
This is done by gathering the one-time password that is generally supplied to validate the user when creating new accounts using the phone numbers connected to the infected devices.
According to security researcher Maxime Ingrao, who found the malware, it also asks for SMS authorization and the user’s phone number on the initial screen.
In order to hide the interface of the received SMS and prevent the user from seeing the SMS of subscriptions to various services, it then pretends to start the application but constantly stays on this page.
Several well-known services, including Amazon, Discord, Facebook, Google, Instagram, KakaoTalk, Microsoft, Nike, Telegram, TikTok, Tinder, Viber, and WhatsApp, were among those that were unlawfully registered using the phone numbers.
A domain called “goomy[.]fun,” which was previously employed by another malicious program called Virtual Number (com.programmatics.virtualnumber), which has since been removed from the Play Store, receives the data obtained by the malware.
The creator of the app, Walven, has also been connected to another Android app called ActivationPW – Virtual Numbers (com.programmatics.activation), which advertises that it can be downloaded for less than 50 cents and offers “virtual numbers to receive SMS verification” from more than 200 countries.
According to Ingrao, Symoo and ActivationPW represent the two ends of the fraudulent scheme, in which users are assisted in purchasing accounts through the latter by using the phone numbers of compromised devices that have the former installed on them.
The two apps have been taken off the Play Store, and the developer has been banned, according to a statement from Google to The Hacker News.