Part two of our blog entry discussed the impacts and implications of SMS PVA services. The article also explored how these services work by using Carousell as an example. Moreover, it discussed the “benefits” of SMS PVA services to cybercriminals.
In the final installation of our series, we’ll discuss relevant statistics and recommendations to mitigate the threats that SMS PVA services pose.
In the screenshots above. ReceiveCode posted the top countries that use their services. From that information, we see Thailand, Indonesia, South Africa, the United States, Russia, Colombia, Bangladesh, Mexico, Turkey, Angola and India routinely make up the top 10 of countries with smart phones affected by smspva.net.
There are some differences if we base the country infection distribution based on Trend Micro’s SPN telemetry data due to market distribution but we can verify that Indonesia, Russia, Thailand, and India are really amongst the top countries with infected Android phones.
Using the same telemetry data, we can map the user-agent of the infected devices to what is most likely the brand and phone model. The following diagram shows a breakdown of the mobile phones that we identified to be communicating with smspva.net’s information collection backend:
The affected devices are mostly budget brands manufactured in China. Lava is an Indian brand, but some models are manufactured in China, the Iris 88 models seen here are one of those.
This indicates there might be a supply chain compromise somewhere along with the manufacturing of these budget devices, such that it comes pre-installed with the SMS interception dex file or a downloader that installs it at a later time.
Most of the affected services are messaging apps like LINE, WeChat, Telegram, and WhatsApp. Social media platforms like TikTok, Twitter, and Facebook are also affected.
Messaging apps are currently the biggest target of smspva.net users and can be linked to increased spam and fraud from fake accounts on these platforms. There have been increased reports of scams such as romance, stocks pump-and-dump, tourist attraction, and impersonation scams on messaging platforms, with accounts most likely created using SMS PVA services.
We used to enjoy the anonymity that the internet offers, but as our online identifies become more connected with our real-world personas, the need for verified accounts becomes increasingly important to assure authentic behavior and prevent real-world harm.
As of now, SMS verification is the only widespread mechanism to ensure accounts are created by and for real people, not bots, fake personalities, or troll farms. The existence of SMS PVA services brings to light the inadequacy of one-time SMS verification as the only means to validate if an account is created by a real person.
Here are some recommendations we have to mitigate threats brought about by services like smspva.net.
For Online Platforms and Services
For Smartphone Vendors
To learn more about SMS PVA and how they can enable threat actors, download the full white paper here.