Malicious Android app found powering account creation service

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/

A fake Android SMS application, with 100,000 downloads on the Google Play store, has been discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook.

A researcher says the infected devices are then rented out as "virtual numbers" for relaying a one-time passcode used to verify a user while creating new accounts.

While the app has an overall rating of 3.4, many user reviews complain that it is fake, hijacks their phones, and generates multiple OTPs (one-time passwords) upon installation.

"Fake app I just download this app 4-5 times of OTP by Google, Airtel payment, Bank OTP, dream11 OTP, etc. Type of OTP comes at the time of login," reads one of the reviews.

Symoo was discovered by Evina's security researcher Maxime Ingrao, who reported it to Google but has yet to hear back from the Android team. At the time of writing, the app remains available on Google Play.

Malicious Android app found powering account creation service

A fake Android SMS application, with 100,000 downloads on the Google Play store, has been discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook

www.bleepingcomputer.com

 

[Zero Knowledge]

Google really need to clean up this crap on the PlayStore. Malware slipping into the store happens way too much. Don't they vet apps?