Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts

An Android app with over 100.000 downloads on Google Play was secretly harvesting SMS messages so that its operators could secretly create new accounts on various platforms with the victim's phone number.

Numerous online services require a phone number to set up, which makes them a desirable product for people who don't have a phone number or don't want to use their own number. Either way, this limitation spawned services that offer you new accounts to people with no phone numbers.

But those accounts still need to be set up with a phone number, so intermediaries have to resort to all types of illegal activities, such as harvesting legitimate phone numbers and setting up accounts without ever telling the owners of said phone numbers.

Security researcher Maxime Ingrao found that India's number one SMS app secretly collected SMS data, sending it to a remote server. The goal was to intercept users' confirmation SMS when making a new account.

"The malware asks the phone number of the user in the first screen," said the security researcher. "Then it pretends to load the application but remains all the time on this page, it is to hide the interface of the received sms and that the user does not see the sms of subscriptions to the various services."

"The malware sends data to the domain goomy[dot]fun; looking at VirusTotal, we can see that this domain was used by an application called VirtualNumber which has been removed from the Play Store," the researcher added.

He also noticed that the same developer had another app on the Play Store, ActivationPW, which used the activation[.]pw domain, the same one selling new accounts.

Google removed the apps from the store and banned the developers, but it's likely that other similar operations still exist.