Often online services require you to enter a one-time code that is sent to your cell phone number to verify your account. But what happens if you don't have a phone number or live in a country where certain apps or services are banned?

In such cases, many users use a virtual number to receive a one-time code so that they can verify their new account.

According to BleepingComputer (opens in new tab), security researchers at cybersecurity firm Evina have discovered a fake for Android that secretly uses the phone number of the person who installed it to send one-time codes for other users SMS apps have been discovered.

The app in question is called Symoo and has been downloaded over 100,000 times. As of this writing, it is no longer available in the Google Play Store. However, it has a 3.4 star rating, despite many users complaining that it is fake.

After being installed on a user's device, Symoo requests permission to send and receive text messages. The app then asks the user to provide a phone number and displays a fake loading screen as an overlay. During this time, the creator of this malicious app sends multiple two-factor authentication (2FA) text messages to help others create and verify new online accounts.

Once the fake loading screen disappears, the app freezes and the person who installed it is unable to use it for its intended purpose. Most users then uninstall Symoo, but the cybercriminals behind it already know your phone number, so the damage is already done.

Maxime Ingrao, the security researcher who discovered Symoo, also found that SMS data extracted from Symoo was sent to a domain used by an app called Virtual Number. It was removed from the Play Store.

In a statement to Tom's Guide, a Google spokesperson provided further insight into the issue, stating:

"The apps identified - Symoo (com.vanjan.sms) and ActivationPW (com. programmatics.activation) - have been removed from Google Play and the developers have been banned."

If you download Symoo or any other questionable SMS app, you should remove it immediately. However, as mentioned earlier, as long as your phone number is in the hands of cybercriminals, the damage has already been done. Therefore, if you do not want to be constantly intercepted with one-time codes by other users trying to create accounts, you may want to consider changing your phone number.

At the same time, be especially careful when downloading new apps to your Android smartphone; Google Play Protect can scan for malware in new apps and apps installed on the device, but an elaborate scam, it does not. However, we recommend that you consider installing one of the best Android antivirus apps to enhance your protection against other threats.

When it comes to protecting your phone number, you should avoid giving it away freely and use a third-party SMS app instead of the one installed on your phone. there are reputable text messaging apps for Android, but your own phone number is not worth the risk of having it published online.

Read next: for something more upbeat, read how Starfield has a survival element but doesn't warp your mind with boring tasks.