Advisory ID: NCC-CSIRT-3011-059
Summary: Maxime Ingrao, an Evina's security researcher discovered a fraudulent Android SMS app called "Symoo" that has over 100,000 downloads on Google Play store. The malicious app discreetly serves as an SMS intermediary for a service that creates accounts on websites including Facebook, Instagram, Telegram, Google, and Instagram. After being installed successfully, the malicious app takes over the victims' devices and creates many OTPs (one-time passwords). Furthermore, the attackers rented out the infected devices as virtual numbers for relaying a one-time passcode used to verify a user while creating new accounts.
Vulnerable Platform(s): Microsoft, Google, Instagram, Telegram, and Facebook.
Threat Type: Privilege Escalation
Product : Android Based Devices
Version: All versions
Description: According to the researcher, after a successful installation on the targeted device, the Symoo app requests permission to send and receive SMS, which seems reasonable given that the malicious app describes itself as an efficient SMS tool. It requests the user's phone number on the first screen and then instantiates a false loading screen that claims to display the progress of loading information. However, this procedure is extended out, allowing the remote operators to send several two-factor authentication (2FA) SMS texts for opening accounts on additional services, read their content, and transmit it back to the operators. When completed, users often remove the software because it freezes after finishing and never displays the promised SMS interface. The researchers claim that at this point, the app will have already generated fake accounts for the Android users on several web platforms using their phone numbers, and that their messages are now littered with one-time passcodes for accounts they never made.
Consquences: Take over victims' devices
Impact/Probability: HIGH/HIGH