What usually happens is that the app on the phone (whether a legit one or a sneaky one) sends a message to a shortcode. The message has the sender ID when collected by the server. That's how the app can be informed of the phone number. Some encryption is usually done to the info sent to prevent spurious messages going to the shortcode.
