Online services often require you to enter a one-time code sent to your mobile number in order to verify your account. However, what happens when you don’t have a phone number or live in a country where a particular app or service is banned?
In this case, many users turn to virtual numbers to receive a one-time code so that they can verify their new accounts but these virtual numbers have to come from somewhere though.
A security researcher at the cybersecurity firm Evina has discovered a fake SMS app for Android that secretly uses the phone numbers of those who have installed it to send out one-time codes for other users according to BleepingComputer.
Hijacking phone numbers to help others verify their accounts
The app in question is called Symoo and it has been downloaded over 100,000 times. At the time of writing, it’s no longer available on the Google Play Store. Still though, it has a 3.4 star rating even though many users have complained it’s fake.
After being installed on a user’s device, Symoo requests permission to send and read text messages which isn’t surprising since the app’s description says it’s a “simple use sms application”. The app then asks the user to provide their phone number and a fake loading screen appears as an overlay. During this time, the creators of this malicious app send out multiple two-factor authentication (2FA) text messages to help others create and verify new online accounts.
Once the fake loading screen disappears, the app freezes and those who installed it aren’t able to use it for its intended purpose. While most users then uninstall Symoo, the damage is already done since the cybercriminals behind it already have your phone number.
Symoo isn’t the only app doing this as the security researcher who discovered it, Maxime Ingrao also found that SMS data extracted from it was sent to a domain used by the app Virtual Number. Just like with Symoo though, it has been removed from the Play Store.
A Google spokesperson provided further insight on the matter in a statement to Tom's Guide, saying:
"The apps identified - Symoo (com.vanjan.sms) and ActivationPW (com.programmatics.activation) - have been removed from Google Play and the developer has been banned."
How to stay safe if you downloaded this fake SMS app
If you downloaded Symoo or any other suspicious SMS apps, you need to delete them immediately. As I mentioned before though, the damage is already done since your phone number is in the hands of cybercriminals. As such, you may want to consider changing your number if you don’t want to constantly be interrupted with one-time codes from other users trying to create accounts.
At the same time, you need to be extra careful when downloading new apps onto your Android smartphone. While Google Play Protect is able to scan new apps and any installed on your device for malware, the same can’t be said for more elaborate scams like this one. For extra protection from other threats though, you may want to consider installing one of the best Android antivirus apps.
When it comes to protecting your phone number, you want to avoid giving it out freely and instead of third-party SMS apps, you should use the one that came installed with your phone. While there are some reputable text messaging apps for Android, it just isn’t worth the risk of having your mobile number exposed online.
Read next: for something more cheerful read how Starfield has survival elements but won’t warp your mind with dull tasks.