Trend Micro researchers reported that ,”Malicious actors can use this type of service to register disposable accounts in bulk or create phone-verified accounts for conducting fraud and other criminal activities”. In the last two years, there has been an increase in short message service (SMS) phone-verified account (PVA) services. SMS PVA services provide customers with alternative mobile numbers to use when registering for online services and platforms.

These services prevent the SMS verification mechanisms commonly used by online platforms and services to authenticate new accounts. Malicious actors can create phone-verified accounts or register disposable accounts in bulk for criminal purposes.

The majority of the infections (47,357) are found in Indonesia, followed by Russia (16,157), Thailand (11,196), India (8,109), and France (5,548), Peru (4,915), Morocco (4,822), South Africa (4,413), Ukraine (2,920), and Malaysia (2,779). The majority of the devices affected are assembled by original equipment manufacturers such as Lava, ZTE, Mione, Meizu, Huawei, Oppo, and HTC.

One service, dubbed smspva[.]net, is made up of Android phones infected with SMS-intercepting malware, which the researchers believe could have happened in one of two ways: through malware downloaded accidentally by users or malicious software preloaded into the devices during manufacturing, implying a supply-chain compromise.

“Because of the scale at which SMS PVA is able to supply mobile numbers, the usual methods of ensuring validity such as blocking mobile numbers previously associated with account abuse or identifying numbers belonging to VoIP services or SMS gateways will not suffice.”

With online portals frequently authenticating new accounts by cross-checking the users’ location (i.e., IP address) against their phone numbers during registration, SMS PVA services circumvent this restriction by connecting to the desired platform through  residential proxies and VPNs.

Finally the researchers concluded that ,” these services only sell the one-time confirmation codes required during account registration, with the botnet operator employing an army of compromised devices to receive, examine and report the SMS verification codes without the owners’ knowledge or consent”.

Indicators of Compromise

Dex SHA 1Detection


  • Smspva[.]net
  • Enjoynut[.]cn
  • Sublemontree[.]com
  • Lemon91[.]com
  • Lemon91[.]top

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s