An analysis of SMS phone-verified account (PVA) services has led to the discovery of a rogue platform built atop a botnet involving thousands of infected Android phones, once again underscoring the flaws with relying on SMS for account validation.
SMS PVA services, since gaining prevalence in 2018, provide users with alternative mobile numbers that can be used to register for other online services and platforms, and help bypass SMS-based authentication and single sign-on (SSO) mechanisms put in place to verify new accounts.
“This type of service can be used by malicious actors to register disposable accounts in bulk or create phone-verified accounts for conducting fraud and other criminal activities,” Trend Micro researchers said in a report published last week.
Telemetry data gathered by the company shows that most of the infections are located in Indonesia (47,357), followed by Russia (16,157), Thailand (11,196), India (8,109), and France (5,548), Peru (4,915), Morocco (4,822), South Africa (4,413), Ukraine (2,920), and Malaysia (2,779).
A majority of affected devices are budget Android phones assembled by original equipment manufacturers such as Lava, ZTE, Mione, Meizu, Huawei, Oppo, and HTC.
One particular service, dubbed smspva[.]net, comprises of Android phones infected with SMS-intercepting malware, which the researchers suspect could have happened in either of two ways: through malware downloaded accidentally by the users or through malicious software preloaded into the devices during manufacturing, implying a supply-chain compromise.
The underground VPA service advertises “bulk virtual phone numbers” for use on various platforms via an API, in addition to claiming to be in possession of phone numbers spanning across more than 100 countries.
The Guerrilla malware (“plug.dex“), for its part, is engineered to parse SMS messages received on the affected Android phone, check them against specific search patterns received from a remote server, and then exfiltrate the messages that match those expressions back to the server.
“The malware remains low-profile, collecting only the text messages that match the requested application so that it can covertly continue this activity for long periods,” the researchers said. “If the SMS PVA service allows its customers to access all messages on the infected phones, the owners would quickly notice the problem.”
With online portals often authenticating new accounts by cross-checking the location (i.e., IP address) of the users against their phone numbers during registration, SMS PVA services get around this restriction by making use of residential proxies and VPNs to connect to the desired platform.
What’s more, these services only sell the one-time confirmation codes needed at the time of account registration, with the botnet operator using the army of compromised devices to receive, examine, and report the SMS verification codes without the owners’ knowledge and consent.
In other words, the botnet facilitates easy access to thousands of mobile numbers in different countries, effectively enabling the actors to register new accounts en masse and use them for various scams or even participate in coordinated inauthentic user behavior.
“The presence of SMS PVA services makes another dent on the integrity of SMS verification as the primary means of account validation,” the researchers said.
“The scale to which SMS PVA is able to supply mobile numbers means that the usual methods to ensure validity — such as blocklisting mobile numbers previously tied to account abuse or identifying numbers belonging to VoIP services or SMS gateways — won’t be enough.”