{
	"id": "da93c8e5-3f57-4fdf-961e-ca6b7a018058",
	"created_at": "2026-04-06T00:14:24.375296Z",
	"updated_at": "2026-04-10T03:20:46.001706Z",
	"deleted_at": null,
	"sha1_hash": "c5785ab8588daa84149dbda9528b89b14c47f822",
	"title": "SMS PVA Services' Use of Infected Android Phones Reveals Flaws in SMS Verification",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50169,
	"plain_text": "SMS PVA Services' Use of Infected Android Phones Reveals Flaws\r\nin SMS Verification\r\nPublished: 2022-02-16 · Archived: 2026-04-05 15:44:17 UTC\r\nThis specific SMS PVA service provider is able to maintain many mobile numbers across different countries. It’s\r\nalso interesting to note that the cost of maintaining these numbers exceeds the service rates charged to customers\r\n— so how, therefore, does this service manage to continue its business operations?   \r\nMalicious Android applications used to intercept SMS\r\nIn the course of our research, we found evidence that the capabilities of this particular SMS PVA operation are\r\nbuilt on Android phones infected with SMS-intercepting malware. \r\nWe investigated this by pivoting via the API URLs and the website itself. We found that the API name and\r\nfunctionality of smspva[.]net is unique, but as we see in the Figure 2, enjoynut[.]cn has a very similar website\r\nhosted on the subdomain lm.enjoynut[.]cn.\r\nSmspva[.]net and lm.enjoynut[.]cn have the same login pages with the same logo, as well as the same API\r\ndocumentation. Upon comparing user traffic between the two domains, we observed that smspva[.]net receives far\r\nmore traffic. Because of this, we believe enjoynut[.]cn was used as a test server, while smspva[.]net is the\r\nproduction server.\r\nThe enjoynut[.]cn connection is an important pivot point as the domain is used by several Android malware\r\nvariants.\r\nThe DEX file of interest on the graph is a file with sha1 e83ec56dfb094fb87b57b67449d23a18208d3091, which\r\nwe detect as a variant of the AndroidOS_Guerilla malware. This particular DEX file uses cardking.ejoynut[.]cn as\r\nthe debug command and control (C\u0026C) and uses sublemontree[.]com as the production C\u0026C, as seen in the\r\nfollowing image. \r\nThis DEX file is designed to intercept the SMS received on the affected Android phone, check them against\r\nregular expression (regex) rules received from the C\u0026C, and then send the C\u0026C any text message that matches\r\nthe regular expression.\r\nUsing these code snippets and C\u0026C traffic as fingerprints, we were able to identify two more DEX files with the\r\nsame functionality but different C\u0026Cs, indicating an active development process and several versions of both the\r\ndevelopment code and production code of the Android malware.\r\nOnly text messages sent by specific services and matched by the regex provided by the C\u0026C were intercepted.\r\nThis is likely to prevent the user of the Android phone from discovering the malicious activity. The malware\r\nremains low-profile, collecting only the text messages that match the requested application so that it can covertly\r\ncontinue this activity for long periods. If the SMS PVA service allows its customers to access all messages on the\r\ninfected phones, the owners would quickly notice the problem. \r\nhttps://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html\r\nPage 1 of 4\n\nThe SMS PVA service also controls the type of platforms that customers can receive text messages on (as listed in\r\nFigure 1). This means that the operators behind the service can make sure no obvious malicious activity occurs on\r\nthe infected phones. If the service, for example, allowed the theft of two-factor authentication (2FA) for banking\r\napps, then the real users would be alerted and take action, which would then result in the SMS PVA service losing\r\nits asset.  \r\nUse of residential proxies\r\nOnline platforms and services often authenticate new accounts by validating the location of the user during\r\nregistration. For example, an IP address might be required to match the geographical location of the phone number\r\nused for the account.   \r\nTo circumvent this, SMS PVA users use third-party IP masking services, such as proxies or virtual private\r\nnetworks (VPNs), to change the IP address that will be recorded when they try to connect to a desired service.\r\nUsing Trend Micro™ Smart Protection Network™ (SPN) telemetry, we have identified that the users of SMS PVA\r\nservices extensively use a variety of proxy services and distributed VPN platforms to bypass the IP geolocation\r\nverification checks. \r\nUser registration requests and SMS PVA API requests often come from an exit node of a VPN service or a\r\nresidential proxy system. This means that the users of SMS PVA services typically use them in combination with\r\nsome sort of residential proxy or a VPN service that allows them to select the country of the IP exit node to match\r\nthe telephone number used to register the service. \r\nSecurity implications of SMS PVA services and their effects on SMS verification \r\nSMS verification has become the default authentication method for many online platforms and applications. Many\r\nIT departments treat SMS verification as a “secure” black box validation tool for user accounts. Currently,\r\nhowever, online services and platforms should be wary about heavily relying on SMS verification. These SMS\r\nPVA services prove that cybercriminals are indeed able to defeat SMS verification at scale. This also means that\r\nthere could be authenticated and verified accounts on platforms that behave like bots, trolls, or fraudulent\r\naccounts. \r\n\"Authentic user behavior\" on certain platforms can be manipulated by malicious actors with SMS PVA accounts.\r\nThis means that a platform could incur increased costs due to scam and fraud. A platform might even be involved\r\n(directly or indirectly) with personal injury or damage to property.\r\nBased on previous uses of fake accounts, we can predict how threat actors will use these services in their scams\r\nand criminal activities.\r\nAnonymity tool \r\nCybercriminals use disposable numbers for many different activities because they can register accounts without\r\nworrying about being traced. Also, because the infected mobile phone numbers they use are attached to real\r\npeople, law enforcement inquests about their accounts will be traced to another person. \r\nhttps://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html\r\nPage 2 of 4\n\nWe saw one example of misuse linked to a buy-now-pay-later scheme. In this example, several malware samples\r\nused SMS PVA services to acquire phone numbers and linked those numbers to existing online payment service\r\naccounts. Afterward, the malicious actors attempted purchase transactions from an online shopping site. Although\r\nwe only identified a few samples of such activities, we believe that when automated, these accounts can be used at\r\nlarge to perform illicit purchases or money laundering. \r\nThese services can also be used to avoid responsibility for damages or illegal activity on commerce platforms. In\r\n2020, a Russian car-sharing service accused a man of being involved in a car accident. However, it was revealed\r\nthat the account used for the car-sharing service was a fraudulent accountopen on a new tab set up using the\r\naccused man’s name and disposable SIM cards for verification.\r\nCoordinated inauthentic behavior\r\nCoordinated inauthentic behavior is often used to distribute and amplify information (often misinformation) in\r\nsocial networks. This can be done at scale, fast, and with the necessary speed and precision using SMS PVA\r\nservices. Large campaigns can be used to manipulate public opinion on brands, services, political views, or\r\ngovernment programs such as vaccination campaigns. Organizers of fake news can even use SMS PVA services to\r\ncreate online troll armies.\r\nSome SMS PVA services have thousands of compromised smartphones spread across various countries. The\r\nservice can allow customers to register social media accounts in bulk and in specific countries that the actors\r\nbehind these services are targeting.  \r\nAbuse of sign-on bonuses\r\nSign-on bonuses (often given whenever a new account is registered) can also be abused using the SMS PVA\r\nservice. For example, Bolt, a ride-hailing service popular in Eastern Europe, Africa, and Western Asia,\r\nincentivized new sign-ons by giving away free ride credits for every new account. Some SMS PVA services\r\nrealized this as a potential monetization scheme and even advertised having “unlimited discounted Bolt ridesopen\r\non a new tab” to persuade people to use the SMS PVA service.\r\nConclusions and recommendations\r\nThe core security issue is that an enterprise has the ability to monitor and intercept text messaging from tens of\r\nthousands of devices all around the world, and then profit from this interception by offering the service to\r\nwhoever can pay for it. Another chilling thought is that the customizable regular expression patterns supplied by\r\nthe C\u0026C mean that the SMS interception capability is not limited to verification codes. It can also be extended to\r\nthe collection of one-time password (OTP) tokens or even used as a monitoring tool by oppressive regimes.\r\nThe SMS PVA service operation not only shows the inadequacy and insufficiency of one-time SMS verification as\r\nthe primary means of validation, but also highlights the need for better mobile security and privacy. The malware\r\nthat infects these phones might be unwittingly downloaded by users, or could imply a gap in supply-chain\r\nsecurity. \r\nTrend Micro is able to detect the malicious code and block traffic to C\u0026C servers. But a comprehensive solution\r\nrequires challenging built-in fundamental assumptions with respect to account verification, more effective content\r\nhttps://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html\r\nPage 3 of 4\n\nmoderation, and enhancing smartphone security.\r\nTo read more about this threat, download our research paper, “SMS PVA: An Underground Service Enabling\r\nThreat Actors to Register Bulk Fake Accountsopen on a new tab.” \r\nIndicators of Compromise (IOCs)\r\nDex SHA 1 Detection\r\n24b24990937b4265e276db8271b309c05e1d374b AndroidOS_Guerrilla.HRXD\r\n6a65e2a484f49e82a0cea5a1c2d5706314f0064a AndroidOS_Guerrilla.HRXD\r\ne83ec56dfb094fb87b57b67449d23a18208d3091 AndroidOS_Guerrilla.HRXD\r\nDomains:\r\nSmspva[.]net\r\nEnjoynut[.]cn\r\nSublemontree[.]com\r\nLemon91[.]com\r\nLemon91[.]top\r\nSource: https://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.\r\nhtml\r\nhttps://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html"
	],
	"report_names": [
		"sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434464,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5785ab8588daa84149dbda9528b89b14c47f822.pdf",
		"text": "https://archive.orkl.eu/c5785ab8588daa84149dbda9528b89b14c47f822.txt",
		"img": "https://archive.orkl.eu/c5785ab8588daa84149dbda9528b89b14c47f822.jpg"
	}
}