HTML Smuggling
HTML Smuggling

A study of SMS phone-verified account (PVA) services has revealed a rogue platform with a botnet underneath. The rogue platform has infected thousands of Android phones, and android infections point to the downsides of using SMS for account validation.

SMS PVA service, which first became popular in 2018, gives users the option to register alternative numbers for using online services and platforms. It helps to evade SMS-based authentication and single sign-on (SSO) mechanisms that check new accounts.

“This type of service can be used by malicious actors to register disposable accounts in bulk or create phone-verified accounts for conducting fraud and other criminal activities,” Trend Micro researchers said in a report published last week.

The company collected telemetry data that shows most infections happened in (47,357), followed by Russia (16,157), Thailand (11,196), India (8,109), France (5,548), Peru (4,915), Morocco (4,822), South Africa (4,413), Ukraine (2,920), and Malaysia (2,779).

LAVA, ZTE, Mione, Meizu, Huawei, Oppo, and HTC budget Android phones were most affected by the botnet.

Also read,

Dubbed smspva[.]net, a service, makes up the Android phones affected by the SMS-intercepting malware, which the researchers infer to have happened in two ways: malware unwittingly downloaded by the user or malicious software installed during manufacturing which meant a supply-chain compromise.  

The underground VPA service promotes “bulk virtual phone numbers” for use on various platforms via an API, besides asserting to possess phone numbers spanning across more than 100 countries.

The Guerrilla malware (“plug.dex”) was designed to examine SMS messages received on the compromised Android phone, match them with specific search patterns received from a remote server, and then send the messages that match the expression to the server.

“The malware remains low-profile, collecting only the text messages that match the requested application so that it can covertly continue this activity for long periods,” the researchers said. “If the SMS PVA service allows its customers to access all messages on the infected phones, the owners would quickly notice the problem.”

With online portals often authenticating new accounts by cross-checking the location (i.e., IP address) of the users against their phone numbers during registration, SMS PVA services get around this restriction by using residential proxies and VPNs to connect to the desired platform.