<— Back

SMS PVA: how infected smartphones are used to register fake accounts

We currently live in a world where online identities are closely tied to our actual identities. One’s email account can be tied up to a food delivery app, a ride-hailing app, or a social media app. We let these apps interact with our personal and physical space by using it to buy physical items, avail of real world services, or share our locations, hobbies and people we interact with to the rest of the world. Because of this, user account authenticity and integrity is paramount. Without it, we won’t be able to trust if an account selling an item online is trustworthy, or if the car that is in front of you is really the one you booked through your ride hailing app. This is why platforms and services need to ensure a user account is created by an actual human and the most common way to accomplish this is through SMS verification during account creation.

SMS verification is a way to make sure a user account is tied to a working mobile number, with the assumption that the one creating the user account owns that active mobile number. However, malicious actors are findings ways to defeat this verification system in order to create fake user accounts that is then used for scams, spam campaigns or engage in inauthentic user behaviour. Our research dives into a group providing a service called SMS PVA (Phone Verified Accounts). This service is designed to defeat the SMS verification employed by apps and platforms during account creation, so nefarious actors can create accounts for their malicious purposes. Digging deeper, we found out this service is made possible because the group getting the SMS verification codes from thousands of infected Android phones. These are real phones, owned by real people, that is then registered to an online account without the phone owner knowing it. We were able to analyse the malicious Android plug-ins responsible for this as well as trace the domains and servers it reports to. We are also able to link the Android malware and its infrastructure to a group we believe is operating in China. We are able to gather statistics on which mobile phones are infected and from what region, as well as the apps and platforms that were affected by actors who availed of this SMS PVA service. The findings of our investigation challenges the effectiveness of SMS verification as the primary verification tool in creating user accounts. It also challenges the security of the Android software supply chain as our findings suggests the malicious plug-ins are installed due to a pre-existing compromise in the software update component of cheap white label phones. Finally, we have also seen the apps and platforms where fake accounts were created, and by virtue of matching