Short message service (SMS) verification has become the default authentication for many online services. These platforms assume that SMS verification is enough to guarantee the “one-account-per-person-per-phone” policy. In fact, many IT departments across the world treat SMS verification as a “secure” validation tool for user accounts.
Over the past couple of years, we have noticed an increase in online sellers offering SMS phone verified accounts (PVA) services. SMS PVA services are used to circumvent the SMS verification mechanism by providing their customers with mobile numbers to create accounts in various online services and platforms. However, this type of service can be abused by cybercriminals to register disposable accounts in bulk or create phone-verified accounts for purposes of conducting fraud or other criminal activities.
Unlike older PVA abuse methods, modern SMS PVA services only sell the actual verification codes needed at the time of account registration. Our investigation into SMS PVA services led us to discover that at least one operator has built their service on top of a botnet involving thousands of infected Android phones. There are two possibilities here: Phones might be infected through a piece of malware that is accidentally downloaded by the user, or phones might be preloaded with malware during manufacturing. We discuss these issues further in our full report.
The affected Android phones are used to receive, parse, and report the SMS verification codes without their owners’ knowledge and consent. By using infected phones and focusing on account verification codes, SMS PVA service operators can offer low-cost access to thousands of mobile numbers in different countries. This enables cybercriminals to register new accounts in bulk and use them for malicious activities.
This report outlines the crimes and actions that are enabled by such services, as well as the implications of these services with regard to the integrity of SMS account verification. Our full report dives into one specific SMS PVA service and shows exactly how it operates.