Published December 1, 2022
Author: Ash Khan

Users may transmit OTP codes to offenders.

Researchers have identified a malicious Android-based mobile app that converts smartphones into SMS relays used to validate various online identities.

As of now, the app had more than 100,000 downloads on Google Workspace’s parent company app Store and was still available for download.

OTPs are Important

When people register online accounts, they frequently need to authenticate their identities using their cell phones to ensure they are not bots or users spamming account registration. Users provide their phone numbers and receive a one-time passcode (OTP) that confirms their identification.

OTPs are one-time-use passwords that are produced automatically. Because the password changes every time and is only valid for a short time, you reduce the danger of unauthorized access to confidential digital information by sending an OTP by SMS to the connected phone number.

All about Symoo -SMS spoofing application

Being able to establish profiles online without having to give their phone numbers seems enticing for those trying to remain anonymous online, but the available techniques frequently put innocent people in danger.

A researcher from a cyber security website recently found Symoo, an app that bills itself as a “simple SMS application.” Instead, it just relays SMS-based OTP codes to anonymous users, who may include threat actors, in order for them to create accounts elsewhere. When users install the app, it asks for SMS permissions which, considering that it’s marketed as an SMS app, should come as no surprise. It then requests the user’s phone number and, if provided, displays a false loading screen with a progress bar.

It would ask remote operators to send several two-factor authentication SMS texts in the background, assisting them in creating accounts on various web applications. When this step is completed, the app freezes and looks to be inoperable.

Virtual Number applications

It is also discovered that the app exchanges the stolen SMS data with another app named Virtual Number, which is no longer accessible on the Play Store. However, the creator offers a similar tool called “Activation PW – Virtual numbers” that provides legitimate phone numbers to let anyone create accounts. Users may obtain a phone number for $0.50 and use it to authenticate an account through SMS. This app has had over 10,000 downloads.

Though there is nothing particularly wrong with a virtual number service, with Google Voice offering one, users are recommended to delete this application as soon as possible, should they become the victim of fraud.

Best practices and applications for one-time password

OTP complexity: The complexity of OTP is determined by the string of characters utilized. These characters can be letters, numbers, or a combination of the two. The length of the OTP should be 6 to 10 characters, as this will be comfortable for the user and difficult for any evil person to guess.

OTP should be highlighted: When we send an OTP to a user, it should be highlighted in the message. Make OTP the first line of your message, or make it bold if possible.

Allow Retrying for OTPs: The user will be able to resend the OTP if the channel fails or the OTP is incorrect.

The channel should be ultra-secure: If your infrastructure or communication channel is not secure enough, your OTP authentication will be compromised. The most crucial practice for sending OTP is to invest in a secure infrastructure route. With IT Company SMS gateway service, you can send OTPs securely to your customers without any security threat.

Reputable Service Provider: Failed OTP is terrible for the company since, on average, a visitor leaves a website in 8 seconds. Always choose a reputable OTP Service Provider. It is critical to select a service that can deliver on time and respond quickly.

Rate limiting: You don’t want a malicious person to transmit several OTPs for the same account at the same time. OTP may be costly for some channels, and it may potentially overload the system. To circumvent this, a time restriction should be set between each OTP produced for a single account.

Conclusion

One-time passwords, as we now know, are positioned to boost security and eliminate hacked accounts, fraud, and other cybercrimes. One-time passwords enable your end-users to access your services in a simple yet secure manner, resulting in a better user experience.