Hi Guys,

I hope that you are well. Security researcher Maxime Ingrao from Evina has uncovered ​a fake Android SMS application, with over 100,000 downloads that secretly act as an SMS relay for account creation sites like Microsoft, Google, Instagram, Telegram, and Facebook. It also makes copies of all of your stored SMS messages and illegally transmits them to its servers. The guys at Bleeping Computer explained the process very well:

  • Upon installation on the device, the app requests access to send and read SMS, which sounds normal since Symoo markets itself as an “easy to use” SMS app.
  • On the first screen, it asks the user to provide their phone number; after that, it overlays a fake loading screen that supposedly shows the progress of loading resources.
  • However, this process is prolonged, allowing the remote operators to send multiple 2FA (two-factor authentication) SMS texts for creating accounts on various services, read their content, and forward it back to the operators.
  • When completed, the app will freeze, never reaching the promised SMS interface, so users will typically uninstall it.
  • By this time, the app will have already used the Android users’ phone numbers to generate fake accounts on various online platforms, and reviewers say that their messages are now filled with one-time passcodes for accounts they never created.

Why do you need to be concerned?

  • This fake app allows the operator to access and copy your SMS messages.
  • This fake app allows potential criminals to use your phone number to prove who they are, which could cause problems if they do anything illegal online as the activity is tied to your number and therefore tied to you. This could cause significant legal problems for you.

How do you stay safe?

  • Do not install an application called ‘Symoo‘. This app is still available for download in the Google Play Store, so if you come across it, do not install it under any circumstances.
  • If you already have it installed, get rid of it immediately.

Please share this tip.

Thanks, and wishing you a fantastic moment wherever you are.

All the best,

Max Roberts,
Incognito Privacy Care Team.