A fake Android SMS app, with 100,000 downloads on the Google Play Store, has been discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram and Facebook.

A researcher claims that infected devices are then leased as “virtual numbers” to relay a one-time password used to verify a user when creating new accounts.

Although the app has an overall rating of 3.4, many user reviews complain that it is fake, hijacks their phones, and generates multiple OTPs (one-time passwords) upon installation.

“Fake app I just downloaded this app 4-5 times from OTP by Google, Airtel payment, Bank OTP, dream11 OTP etc. Type of OTP comes at login time,” reads one of the reviews.

Symoo was discovered by Evina security researcher Maxime Ingrao, who reported it to Google but has yet to receive a response from the Android team. At the time of writing, the app remains available on Google Play.

BleepingComputer has also contacted Google about Symoo, and we’ll update this story as soon as we receive a response.

Routing of 2FA codes

Upon installation on the device, the app asks for access to send and read SMS, which seems normal since Symoo advertises itself as an “easy to use” SMS app.

On the first screen, it asks the user to provide their phone number; after that, it covers a fake loading screen supposed to show the progress of loading resources.

However, this process is extended, allowing remote operators to send multiple 2FA (two-factor authentication) SMS to create accounts on various services, play their content and send it back to operators.

Once completed, the app will freeze, never reaching the promised SMS interface, so users will usually uninstall it.

By then, the app will have already used Android users’ phone numbers to generate fake accounts on various online platforms, and critics say their messages are now filled with one-time passwords for accounts they never created.

Sell ​​accounts

Since phone numbers are often the only possible way to verify accounts, people who want to engage in illegal or anonymous activity find these pseudonymous accounts useful.

Additionally, Maxime Ingrao discovered that the Symoo app was exfiltrating SMS data to a domain used by another app, “Virtual Number”, which was also on Google Play at one point, but has since been removed.

The developer of “Virtual Number” app has also created another app on Google Play called “ActivationPW – Virtual Numbers”, which has been downloaded 10,000 times, which offers “online numbers from over 200 countries” that you can use to create an account.

Using this app users can “rent” a number for less than 50 cents and in many cases use that number to verify the account.

Although unconfirmed, it is believed that the Symoo app is used to receive and transfer OTP verification codes generated when people create accounts using ActivationPW.

If you use these apps, you should uninstall them, if nothing else, because they copy your SMS content to their own servers.

Their privacy policy also discloses this behavior, although they say it is to “block spam and save services”.

“Income SMS (we store sms as part of spam blocking and backup services with our third party platform, cloud storage or telecom provider. (Note that we do not share these records with third parties )”, reads the Symoo privacy policy.