Play app with 100K downloads booted for forwarding texts to developer server

Google has removed two apps, one with more than 100,000 downloads, after receiving a report they were part of an illegal scheme that surreptitiously forwarded text messages that were used to create fraudulent accounts on third-party websites.

The first app, named Symoo, billed itself as an easy-to-use SMS messenger. Once installed, it would ask for the user’s phone number and then pretend to load the application. The app would then hang on the screen while, in the background, it copied every text received and sent it to goomy[.]fun, a website controlled by the developer.

The screen would hang indefinitely, so eventually many users would likely force-quit the app and uninstall it. During the time Symoo was running, however, the developer would use the number for a fee-based service that registered fake accounts on sites that require SMS-based verifications. While the app was running, the service would register accounts using the infected phone’s number and then copy the verification code returned by the site. Besides sending texts associated with the fake account creation, Symoo forwarded any texts the infected phone received from other parties.

The Symoo developer has links to a person behind another app called ActivationPW. ActivationPW worked through activation[.]pw, a website that allows people to buy the accounts with infected phones.

On Tuesday, about 12 hours after a security researcher posted his findings, Google finally removed both Symoo and ActivationPW from its Play store. The company also deleted the Play account of the developer.

A VirusTotal search showed that goomy[.]fun had been used by a Play app called VirtualNumber. It was created by the same person behind activation.pw, and like Symoo it provided a way to create fake accounts using infected phones.

The developer of the VirtualNumber app is the same one who created ActivationPW, an app downloaded more than 10,000 times and advertised itself as offering online numbers from more than 200 countries.

Many sites require people signing up for an account to provide a phone number that receives SMS texts. The account can’t be created until the user copies a verification code sent to the phone. People looking to create accounts for use by bots or fraud purposes often turn to services like ActivationPW to get around this requirement.

Anyone who has installed any of these apps should check their phones to ensure the apps have been deleted. They should also be aware that all texts they received while the apps were open were forwarded to a server engaging in illegal activity.