Misleading Android App Symoo Reads & Forwards SMS To Account Creation App

Uninstall Symoo if you use it!

Google Play store joker malware
Image: Unsplash

Google Play Store claims to vet apps before deploying them, but still, a lot of bogus apps pass through. Bleeping Computer shared a post describing one such bogus Android Application Symoo which passes on SMS to an account creation app. But it disguises itself as an SMS manager app and obtains access to your phone number and messages.

You may not pay attention to the contents of the app before installing them. The review section of the aforementioned app is up to the brim with displeased users.

How does this fake SMS Application Symoo operate?

Symoo, the app in question, is a published app on the Google Play Store. It claims to be a “simple SMS app” and nothing more. However, user reviews reveal a deep-rooted problem with the app. It asks the users to enter their phone numbers. After that, users receive numerous OTP verification requests from apps such as Dream 11, Airtel Payments, and more. Make note that these are very popular apps in India, and the app is facilitating OTP verification for other users by accessing the SMS of Symoo users.

Image: Play Store

Evina’s security researcher Maxime Ingrao dived deep to check out Symoo and even reported it to Google after discovering its actual intentions. But the app is still live and kicking on the Play Store, even at the time of writing this article. Since it is a general request, it might take a while for the moderation team to verify the complaint and take it down.

But the question is how these apps become available on the Play Store. Getting approval is a tough cookie but the developers have surely cracked the code to get their malicious apps published on the Play Store. Symoo takes your phone number and uses it to power account creation on other sites and apps. Sometimes, apps or websites require a phone number to create or verify the account and Symoo appears to facilitate that as well.

After you put your phone number, it sends that number to the app powering the account creation service and then sends the OTP received on your number as well. Since it has access to SMS, it is an easy feat for the app. Google needs to look into this app and if you ever come across Symoo, report it. Always read reviews, and don’t be an early adopter of suspicious apps.

Abhishek Mishra

Abhishek Mishra

I love exploring technology and devote my time to curating detailed posts and supplying credible information to inquisitive users. I wish I had some spare time to play a few RPGs or clean my desk.
More From Fossbytes

Latest On Fossbytes

Find your dream job