The malicious application was discovered by IB-research by Maxim Ingrao, working in Evina. It is called Symoo and has more than 100,000 downloads in Google Play. According to the researcher, after installing the application, the SIM cards of the victims begin to be used as “virtual numbers” to create accounts on Microsoft, Google, Instagram, Telegram and Facebook.
The malware is simple – after installation, it requests access to sending and reading SMS messages, which does not cause suspicion of the victims, since Symoo is advertised as “Simple SMS Sending”. The most interesting begins after installation:
On the first screen, the user is asked to specify their phone number, after which a fake boot screen appears;
The “loading” process is delayed, allowing the remote operators to send a one -time code from the desired service to the victim’s phone number and send it back to the operators;
After the process is completed, the application freezes without giving the user the promised functionality.
And even despite the fact that deceived users delete a non-working application, this does not correct the situation, because their phone number has already been used to create other people’s accounts on various online platforms.
In addition, Maxim Ingrao discovered that Symoo transfers SMS messages from victims to the domain used by the ActivationPW – Virtual Numbers application, which allows the user for 50 cents to “rent” the phone number and use it to create an account for the desired site. It is worth noting that this application has already been deleted from Google Play, but Symoo – no.