Fake Android app sparks personal privacy warning

What seemed like a harmless, easy-to-use messaging service for Android users proved to have a dark ulterior motive.

Taking the phone numbers of all who downloaded it, and allowing others to “rent” them for use on an account creation service.

Thankfully, thanks to an intrepid security researcher, the app has been successfully shut down.

Caught Read Handed

The Symoo app billed itself on Google Play as “JustSms is simple to use SMS application.”

While the shockingly poor grammar should have been a serious red flag, to begin with, the app somehow managed to attract over 100,000 downloads, and earn a rating of 3.4 on Google Play.

Though not all the reviews were raves.

Indeed, plenty of users immediately noticed that something was off, reporting how the app asked for a one-time password (OTP) upon installation and seemed to be hijacking their phones.

These red flags also caught the attention of Maxime Ingrao, a French security researcher currently employed at the cybersecurity company Evina.

Upon learning of the Malware attached to the app, Ingrao shared exactly what Symoo did on his Twitter page.

Accompanied by screenshots, Ingrao explained how Symoo read and sent all messages directly to a server specifically designed to sell “account creations”, allowing people to use phone numbers to verify they’re real, and then used the phones infected by the service to authenticate these fake accounts through messages.

Ingrao went on to point out how Symoo was the number 1 new SMS app in India, where over 100,000 people fell victim to it.

 

How exactly did it work?

Ingrao went on to explain that Symoo first took people’s information by asking for the user’s phone number on the login page.

While the next screen made it appear to users that the application was loading, it was all a cover-up, hiding the interface of their number being sent to various subscription services.

Once the app finished loading, it would freeze, prompting users to delete the app.

But their phone numbers had already been apprehended by then, and the user’s phone numbers were used to create fake accounts on numerous platforms, including Facebook, and Instagram.

Ingrao then shared that he was able to track the malware back to a domain called “goomy[dot]fun”, a domain used by an app called Virtual Numbers.

Virtual Numbers happened to be created by the same developers of Activation PW, a website offering users numbers from more than 200 countries they can use to create fake accounts.

According to Bleeping Computer, users could rent a number for as little as 50 cents to verify a fake account.

Thankfully, a Google spokesperson later confirmed to Bleeping computers that both Symoo and Activation PW have been removed from google play, and the developer has been banned.

Be Careful What You Download

It’s easy to get carried away and download any app that seems like something you’d enjoy.

Then too, if it’s available on GooglePlay, it must be safe, right?

Unfortunately, as seen above, that isn’t a guarantee.

Thankfully, it’s not too difficult to discern which apps one should probably avoid.

Check the rating.

If most of the ratings for the app sit at two stars or less, and users seem to be struggling to find anything good to say about it, then it’s likely one to avoid downloading.

Make Sure your software is up to date.

Luckily, certain malware isn’t able to function on the most up-to-date software, so always be sure that your devices, be it an iPhone or Android, as well as your browser, are updated on a fairly regular basis.

Download an Antivirus App.

Installing antivirus software on your devices is one of the most surefire ways to protect your devices from malware and phishing scams.

With its easy setup, real-time anti-malware protection, and excellent customer service, TotalAV is one of the most reliable Antivirus services for your PC, Mac, Android and iOS devices available today.

Limited-time deal for CyberGuy readers: $19 your first year (80% off)

 

Related:

Related posts

Best last minute holiday gifts

Understanding brushing scams and how to protect yourself

From TikTok to trouble: How your online data can be weaponized against you