How a malware-infected messaging app is impersonating millions of users worldwide

At Evina, we are equipped with the most advanced cybersecurity technology developed over 15 years of research and development, and experienced malware hunters who discover the most sophisticated malware hidden in app stores. The new malware that impersonates users by stealing their phone numbers is the latest addition to the series of malware our team uncovers each year.

We asked one of Evina’s top malware hunters how this newly uncovered malware operates. Here’s what you should know.

Can you tell us more about where the malware hides?

The malware is hidden in a messaging app named Symoo on the Google Play Store.

It’s available worldwide, but the app has been downloaded the most by users in India, Bangladesh, Pakistan, Algeria and Nepal. 

You won’t find the app anymore on the Google Play Store however, as it’s been removed following our press release.

The malware steals phone numbers from users, how exactly does it do that?  

So the first thing to understand is that the infected app Symoo masquerades as a legitimate messaging app to impersonate users and create fake social media accounts.

It starts out with a user that finds the app on the app store, downloads it, and when it opens the infected app, the first thing that pops up is the app’s request to get the user’s phone number. 

When the user launchers the app, a loading screen appears and in the meantime, the app has launched a malicious program in the background that sends the user’s phone number to an external server and intercepts all SMS messages. 

This external server is used by a marketplace that collects the stolen phone number and reads the SMS messages linked to this number to obtain one-time codes that allow to create fake social media accounts. Millions of fake accounts on popular social networks like Facebook or Telegram are created this way and individuals can purchase these fake account directly from this platform to remain anonymous while potentially perpetrating criminal actions. 

What has been the malware’s impact up to now?

All users that have downloaded the infected app and entered their phone number are victims of the malware. These users now have fake social media profiles linked to their phone number and they aren’t aware. In India, there are 100K victims, in Pakistan 9K, in Algeria 3K and in Morocco 1K.

 These images show (1) the countries where the malware has stolen from users and (2) the number of fake accounts per social media platforms available on the marketplace.

For more information, read the full press release.

The Fraud Observer

Do you like this article ?

Articles, interviews, analyzes, debates ... Once a month, the most valuable insights and news to fight fraud and grow your business.