The malicious application was discovered by cybersecurity researcher Maxim Ingrao, who works for Evina. It's called Symoo and has over 100,000 downloads on Google Play. According to the researcher, after installing the application, victims' SIM cards are used as "virtual numbers" to create accounts on Microsoft, Google, Instagram, Telegram and Facebook websites.
The operation of the malicious application is simple – after installation, it requests access to send and read SMS messages, which does not arouse suspicion among the victims, since Symoo is advertised as “a simple application for sending SMS”. The fun begins after installation:
- The first screen asks the user for their phone number, after which a fake loading screen appears;
- The “download” process is delayed, allowing remote operators to send a one-time code from the desired service to the victim’s phone number and send it back to the operators;
- After the process is completed, the application freezes without providing the user with the promised functionality.
And even though deceived users delete the non-working application, this does not improve the situation, because their phone number has already been used to create other people's accounts on various online platforms.
In addition, Maxim Ingrao discovered that Symoo sends SMS messages from victims’ phones to the domain used by the “ActivationPW – Virtual numbers” application, which allows the user to “rent” a phone number for 50 cents and use it to create an account on the desired site. It is worth noting that this application has already been removed from Google Play, but Symoo has not.