ALPS blog

Part two of our blog entry discussed the impacts and implications of SMS PVA services. The article also explored how these services work by using Carousell as an example. Moreover, it discussed the “benefits” of SMS PVA services to cybercriminals.

In the final installation of our series, we’ll discuss relevant statistics and recommendations to mitigate the threats that SMS PVA services pose.

Geographical distribution

receivers-code
Figure 1. ReceiveCode’s Facebook and Telegram posts

In the screenshots above. ReceiveCode posted the top countries that use their services. From that information, we see Thailand, Indonesia, South Africa, the United States, Russia, Colombia, Bangladesh, Mexico, Turkey, Angola and India routinely make up the top 10 of countries with smart phones affected by smspva.net.

There are some differences if we base the country infection distribution based on Trend Micro’s SPN telemetry data due to market distribution but we can verify that Indonesia, Russia, Thailand, and India are really amongst the top countries with infected Android phones.

infected-countries
Figure 2. Infected countries

Using the same telemetry data, we can map the user-agent of the infected devices to what is most likely the brand and phone model. The following diagram shows a breakdown of the mobile phones that we identified to be communicating with smspva.net’s information collection backend:

Blue and yellow round illustration | A57, Huawei nova 6 WLZ Honor 5X KIW - TLOO MT7 - TL10 Plus / VIE - Huawei nova 65G WLZ - ANO, 6d, P20 Pro, Mate 20 Pro, V8, HTC, Oppo, Hero R3, Huawei, Meizu, Lava, R5, MiOne, P1, Iris 88, ZTE, A67, Blade 3
Figure 3. Infected smartphone brands and models

The affected devices are mostly budget brands manufactured in China. Lava is an Indian brand, but some models are manufactured in China, the Iris 88 models seen here are one of those.

This indicates there might be a supply chain compromise somewhere along with the manufacturing of these budget devices, such that it comes pre-installed with the SMS interception dex file or a downloader that installs it at a later time.

101,148, 41,735, LINE WeChat whatsapp PayPal 925 Jingdong 534 Twitter 436 17LIVE 310 Facebook 153 Telegram 79 MeMe 67 Apple ID 56 EME Hive 35 Alipay 26 spoon 24 Flip 23 beanfun 15 MoneyLion nicee 15 SoSecure 7 Bunch 6 Google Voice 6 KakaoTalk Poshmark 4 Step 4 privacy 3 CocoFun 2 DIDI FOOD, 120K
Figure 4. Affected online platforms and services

Most of the affected services are messaging apps like LINE, WeChat, Telegram, and WhatsApp. Social media platforms like TikTok, Twitter, and Facebook are also affected.

Messaging apps are currently the biggest target of smspva.net users and can be linked to increased spam and fraud from fake accounts on these platforms. There have been increased reports of scams such as romance, stocks pump-and-dump, tourist attraction, and impersonation scams on messaging platforms, with accounts most likely created using SMS PVA services.

Recommendations

We used to enjoy the anonymity that the internet offers, but as our online identifies become more connected with our real-world personas, the need for verified accounts becomes increasingly important to assure authentic behavior and prevent real-world harm.

As of now, SMS verification is the only widespread mechanism to ensure accounts are created by and for real people, not bots, fake personalities, or troll farms. The existence of SMS PVA services brings to light the inadequacy of one-time SMS verification as the only means to validate if an account is created by a real person.

Here are some recommendations we have to mitigate threats brought about by services like smspva.net.

For Online Platforms and Services

  • Keep in mind that one-time SMS verification is not enough. As it stands, SMS PVA services abuse the fact that SMS verification is only being done once during account creation. This abuse can be countered by having periodic verifications to ensure that the mobile number used to verify the account is really the day-to-day mobile number used by the account owner. On the other hand, some applications send in-app verifications if the application is detected to be online. Still, this type of verification does not prevent the use of SMS PVA services for acquisition of application accounts.
  • Exercise caution when launching sign-up or in-game bonus programs with monetary value. We have seen groups quickly monetize sign-up and in-game bonuses because of their ability to create bulk accounts. More stringent measures should be taken when launching these programs and companies should implement additional verifications on top of SMS verification to prevent abuse. • Check the origin country of the mobile phone against the account profile created to help detect some fake accounts. For example, if the mobile number does not match the ethical origin, language, profile photo, and/or login IP address of the created account, such a mismatch is a red flag. Additionally, if the user activity does not match the typical behavior of a user from that particular region, this is also a sign that the account was possibly registered using SMS PVA services and should require additional verification. 
  • Look out for the reuse of a profile avatar image or profile attribute, as this is also a red flag. This is particularly applicable to accounts created for romance, spam, and stocks investment scams. These accounts are created in bulk, with photos of attractive persons reused as profile photos, and names for the accounts randomly generated.
  • Advise investigators to pivot off the content in the messages. Most fake accounts post or send the same messages, which can be used as an initial pivot to investigate the veracity of the account.

For Smartphone Vendors

  • Ensure the provenance of the devices you sell under your brand name. There have been welldocumented cases where devices were pre-infected with malware. We recommend checking our list of devices in the statistics section to see which companies are involved in the manufacturing process, both in the assembly and firmware creation. Other security vendors have also published lists of identified devices33 in previous supply-chain compromises. It would be wise to check the common vendors involved and take appropriate action.
  • Practice vigilance with respect to ROM images and updates. Ensure that all the applications included in default ROM images of the devices, the ROM image itself, and the components that perform ROM update (FOTA/OTA) are trusted and/or come from trusted sources.

For consumers

  • Consider security when buying your smartphone. Research into your mobile phone manufacturer and find out if it has a good reputation for security before making a purchase.
  • Secure your phone. Make sure there is no malware running in your smartphone that allows these SMS PVA services to abuse your mobile number. 
  • Periodically analyze the contents of the device. Trend Micro offers Mobile Security Solutions to detect and mitigate malicious applications. 
  • Choose only trusted applications. Do not install untrusted applications or applications from untrusted sources on your device. 
  • Be careful with regard to ROM images. Do not use unverified ROM images on your phone devices.

To learn more about SMS PVA and how they can enable threat actors, download the full white paper here.