Security News > 2022 > November > Malicious Android app found powering account creation service
A fake Android SMS application, with 100,000 downloads on the Google Play store, has been discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook.
"Fake app I just download this app 4-5 times of OTP by Google, Airtel payment, Bank OTP, dream11 OTP, etc. Type of OTP comes at the time of login," reads one of the reviews.
At the time of writing, the app remains available on Google Play.
Upon installation on the device, the app requests access to send and read SMS, which sounds normal since Symoo markets itself as an "Easy to use" SMS app.
Maxime Ingrao discovered that the Symoo app exfiltrates SMS data to a domain used by another application, 'Virtual Number,' that was also on Google Play at some point but has since been removed.
The developer of the 'Virtual Number' app also created another app on Google Play called 'ActivationPW - Virtual numbers,' downloaded 10,000 times, which offers "Online numbers from more than 200 countries" that you can use to create an account.