Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

SMS Stealing Library Found in 18,000 Android Applications

Roughly 18,000 Android applications built using the Taomike SDK, one of the largest mobile advertisement solution platforms in China, have been found to include SMS theft functionality.

Roughly 18,000 Android applications built using the Taomike SDK, one of the largest mobile advertisement solution platforms in China, have been found to include SMS theft functionality.

The Taomike SDK, which helps developers display advertisements in their mobile apps, has been used in over 63,000 Android apps, but only around 18,000 of them have been observed to exhibit the message stealing functionality, according to Palo Alto Networks, which made the discovery. The security firm also notes that these applications have been grabbing copies of all messages sent to infected devices since  August 1.

The applications are being distributed through third-party mechanisms in China and are not available in the Google Play store, and all of them include specific library that enables the malicious behavior. This is the “zdtpay” SDK library, which is a component of Taomike’s in-app purchases (IAPs) system, and which has been designed to capture all messages from the affected device and send them to the company’s servers.

According to Palo Alto Networks, only a newer version of the Taomike SDK appears to include the nefarious library, namely those released around August 2015. Earlier SDK releases should be safe, given that they include the older version of the library, which explains why only some of the applications built with the SDK are compromised.

The SMS stealing functionality has been found inside applications that contain the embedded URL hxxp://112.126.69.51/2c.php, which represents the address to which the stolen messages are uploaded. The IP address in the URL belongs to the Taomike API server, and the company is using the server for other services as well.

The offending library was found to request both network and SMS access permissions, as well as to register receiver name com.zdtpay.Rf2b for SMS_RECEIVED and BOOT_COMPLETED actions with high priority. The receiver Rf2b reads messages as soon as they arrive and collects both the message body and the sender, the security firm said.

Additionally, if the device is rebooted, the MySd2e service is started to register a receiver for the Rf2b. All of the collected SMS information is saved in a hashmap with “other” as the key and is uploaded to the 112.126.69.51 IP address. All of the messages received by the device are collected and uploaded, not only those that are relevant to the advertising platform.

Although only 18,000 applications using the Taomike SDK are known to steal SMS messages at the moment, their number might increase as more developers start using the newer version of the offending library. These applications are not limited to a single developer or third party store, as the advertising platform is highly popular in China.

The researchers at Palo Alto Networks explain that only users in China are affected at the moment, and that those who install software solely from the Google Play store are safe. Additionally, they note that with Android 4.4 KitKat Google started preventing applications from capturing SMS messages if they are not the default SMS application.

Monetization platforms represent a common way of boosting profits, especially since they offer libraries that developers can easily integrate into their applications. However, third-party advertising platforms are not always trustworthy, and developers using such solutions are advised to monitor their programs for abnormal behavior to ensure the safety of their users.

Earlier this month, the Kemoge malicious adware campaign was found infecting Android users in 20 countries through popular Android apps, including browsers, calculators, games, device lockers and sharing tools. Last month, a sophisticated CAPCHA-bypassing Android malware was discovered in games and apps in Google Play, estimated to have caused over $250,000 in loses.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.