Most websites have adopted a mandatory verification through SMS message for account creation and authentication. Because of these requirements, threat groups have had to become crafty, deploying new methods in order to bypass these security features. At first, criminal actors primarily relied upon Google Voice numbers and “burner phone” numbers. However, with websites also advancing, most of those options are no longer valid when setting up an account. Due to the current situation, the only way threat actors can set up fraudulent accounts is by purchasing access to a stolen phone number for which an OTP can be intercepted. Whenever downloading applications from any of the app stores, it is important to understand that some malicious apps may have bypassed security. Reviews of apps should always be read before downloading, and apps that have fewer reviews or downloads should be avoided.
https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/
