SMS Stealing Library Found in 18,000 Android Applications

Roughly 18,000 Android applications built using the Taomike SDK, one of the largest mobile advertisement solution platforms in China, have been found to include SMS theft functionality.

The Taomike SDK, which helps developers display advertisements in their mobile apps, has been used in over 63,000 Android apps, but only around 18,000 of them have been observed to exhibit the message stealing functionality, according to Palo Alto Networks, which made the discovery. The security firm also notes that these applications have been grabbing copies of all messages sent to infected devices since  August 1.

The applications are being distributed through third-party mechanisms in China and are not available in the Google Play store, and all of them include specific library that enables the malicious behavior. This is the “zdtpay” SDK library, which is a component of Taomike’s in-app purchases (IAPs) system, and which has been designed to capture all messages from the affected device and send them to the company’s servers.

According to Palo Alto Networks, only a newer version of the Taomike SDK appears to include the nefarious library, namely those released around August 2015. Earlier SDK releases should be safe, given that they include the older version of the library, which explains why only some of the applications built with the SDK are compromised.

The SMS stealing functionality has been found inside applications that contain the embedded URL hxxp://112.126.69.51/2c.php, which represents the address to which the stolen messages are uploaded. The IP address in the URL belongs to the Taomike API server, and the company is using the server for other services as well.

The offending library was found to request both network and SMS access permissions, as well as to register receiver name com.zdtpay.Rf2b for SMS_RECEIVED and BOOT_COMPLETED actions with high priority. The receiver Rf2b reads messages as soon as they arrive and collects both the message body and the sender, the security firm said.

Additionally, if the device is rebooted, the MySd2e service is started to register a receiver for the Rf2b. All of the collected SMS information is saved in a hashmap with “other” as the key and is uploaded to the 112.126.69.51 IP address. All of the messages received by the device are collected and uploaded, not only those that are relevant to the advertising platform.

Although only 18,000 applications using the Taomike SDK are known to steal SMS messages at the moment, their number might increase as more developers start using the newer version of the offending library. These applications are not limited to a single developer or third party store, as the advertising platform is highly popular in China.

The researchers at Palo Alto Networks explain that only users in China are affected at the moment, and that those who install software solely from the Google Play store are safe. Additionally, they note that with Android 4.4 KitKat Google started preventing applications from capturing SMS messages if they are not the default SMS application.

Monetization platforms represent a common way of boosting profits, especially since they offer libraries that developers can easily integrate into their applications. However, third-party advertising platforms are not always trustworthy, and developers using such solutions are advised to monitor their programs for abnormal behavior to ensure the safety of their users.

Earlier this month, the Kemoge malicious adware campaign was found infecting Android users in 20 countries through popular Android apps, including browsers, calculators, games, device lockers and sharing tools. Last month, a sophisticated CAPCHA-bypassing Android malware was discovered in games and apps in Google Play, estimated to have caused over $250,000 in loses.