Fake Android SMS on Google Play

Evina’s security researcher Maxime Ingrao identified a fake Android SMS APP on Google Play ‘Symoo’, with 100,000 downloads actually serving as an SMS relay for a service that creates accounts for websites including Microsoft, Google, Instagram, Telegram, and Facebook.

Despite having a rating of 3.4 overall, several user reviews blame the app for being fake, taking over their phones, and producing numerous OTPs (one-time passwords) after installation.

One of the reviews of the App says “Fake app I just download this app 4-5 times of OTP by Google, Airtel payment, Bank OTP, dream11 OTP, etc. Type of OTP comes at the time of login”.

Symoo app and user reviews on Google Play

The app is still accessible on Google Play as of this writing. Security researcher Maxime Ingrao reported it to Google, but the Android team has not responded as of now.

As soon as the software is installed on the device, it asks permission to send and receive SMS, which seems reasonable given that Symoo advertises itself as a “simple to use” SMS app.

Steal Phone Numbers to Verify & Create New Web Accounts

The researcher explains that it requests the user’s phone number on the first screen and then overlays a fake loading screen that purports to display the status of loading resources.

Since this procedure takes a while, the remote operators are able to send several 2FA (two-factor authentication) SMS texts to users who are signing up for different services, reading their content, and then sending it back to the operators.

Notably, users will often remove the app as soon as it’s finished because it will freeze and never arrive at the promised SMS interface.

Hence, the app will have already used the Android users’ phone numbers to generate fake accounts on various online platforms. Reviewers claim that their messages are now flooded with one-time passcodes for accounts they never created.

Maxime Ingrao found that the Symoo app leaks exfiltrate SMS data to a domain used by a different app called “Virtual Number,” which was formerly available on Google Play but has since been taken down.

Additionally, the creator of the “Virtual Number” app released the “ActivationPW – Virtual Numbers” app on Google Play, which has received 10,000, downloads and provides “Online numbers from more than 200 countries” that, can be used to create an account.

ActivationPW mobile GUI

Researcher says users can “rent” a number through this app for less than 50 cents, and mostly, they use that number to verify their account.

It is claimed that OTP verification codes created when customers create accounts using ActivationPW are transmitted and received via the Symoo app.

“Income SMS (we store SMS as part of the spam block and backup services with our third-party platform, cloud storage, or telecom provider. (Note that we do not otherwise share these recordings with third parties),” reads the Symoo privacy policy.

Thus, uninstall these apps if you are using them because they copy the contents of your SMS to their servers.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.