Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

SMS Stealing Library Found in 18,000 Android Applications

Roughly 18,000 Android applications built using the Taomike SDK, one of the largest mobile advertisement solution platforms in China, have been found to include SMS theft functionality.

Roughly 18,000 Android applications built using the Taomike SDK, one of the largest mobile advertisement solution platforms in China, have been found to include SMS theft functionality.

The Taomike SDK, which helps developers display advertisements in their mobile apps, has been used in over 63,000 Android apps, but only around 18,000 of them have been observed to exhibit the message stealing functionality, according to Palo Alto Networks, which made the discovery. The security firm also notes that these applications have been grabbing copies of all messages sent to infected devices since  August 1.

The applications are being distributed through third-party mechanisms in China and are not available in the Google Play store, and all of them include specific library that enables the malicious behavior. This is the “zdtpay” SDK library, which is a component of Taomike’s in-app purchases (IAPs) system, and which has been designed to capture all messages from the affected device and send them to the company’s servers.

According to Palo Alto Networks, only a newer version of the Taomike SDK appears to include the nefarious library, namely those released around August 2015. Earlier SDK releases should be safe, given that they include the older version of the library, which explains why only some of the applications built with the SDK are compromised.

The SMS stealing functionality has been found inside applications that contain the embedded URL hxxp://, which represents the address to which the stolen messages are uploaded. The IP address in the URL belongs to the Taomike API server, and the company is using the server for other services as well.

The offending library was found to request both network and SMS access permissions, as well as to register receiver name com.zdtpay.Rf2b for SMS_RECEIVED and BOOT_COMPLETED actions with high priority. The receiver Rf2b reads messages as soon as they arrive and collects both the message body and the sender, the security firm said.

Additionally, if the device is rebooted, the MySd2e service is started to register a receiver for the Rf2b. All of the collected SMS information is saved in a hashmap with “other” as the key and is uploaded to the IP address. All of the messages received by the device are collected and uploaded, not only those that are relevant to the advertising platform.

Although only 18,000 applications using the Taomike SDK are known to steal SMS messages at the moment, their number might increase as more developers start using the newer version of the offending library. These applications are not limited to a single developer or third party store, as the advertising platform is highly popular in China.

The researchers at Palo Alto Networks explain that only users in China are affected at the moment, and that those who install software solely from the Google Play store are safe. Additionally, they note that with Android 4.4 KitKat Google started preventing applications from capturing SMS messages if they are not the default SMS application.

Monetization platforms represent a common way of boosting profits, especially since they offer libraries that developers can easily integrate into their applications. However, third-party advertising platforms are not always trustworthy, and developers using such solutions are advised to monitor their programs for abnormal behavior to ensure the safety of their users.

Earlier this month, the Kemoge malicious adware campaign was found infecting Android users in 20 countries through popular Android apps, including browsers, calculators, games, device lockers and sharing tools. Last month, a sophisticated CAPCHA-bypassing Android malware was discovered in games and apps in Google Play, estimated to have caused over $250,000 in loses.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.