18,000 Android Apps spy on your SMS messages

Not something we usually consider as mobile phone owners, is that question of “Where did my application come from? What platforms does it use?” Both questions tie into: “What permissions does my applications require?” Sadly we rarely think of any of these questions, therefore we put our trust in the market store doing the necessary due diligence.

https://www.youtube.com/watch?v=NXXh70uR7XA

Taomike SDK (Software Development Toolkit) has been used to produce over 63,000 Android applications and is one of the biggest mobile advertisement solutions in China. The reason it is so popular is because it helps developers display ads in their mobile apps and generate revenue. It has been discovered that circa 18,000 Android apps from Taomike SDK have been found to contain malicious code that spies on the user’s SMS messages, according to researchers at Palo Alto Networks.

The security researchers gave the following details:

  • The samples that contain the embedded URL, hxxp://112.126.69.51/2c.php perform such functions.
  • The software that sends SMS messages as well as the IP address belongs to the Taomike API server used by other Taomike services to the above URL.
  • More than 63,000 Android apps in WildFire (we’ll get to that) include the Taomike library, but around 18,000 Android apps include the SMS stealing functionality since August 1, 2015.
  • Some of the infected apps even contain or display adult content.
Wildfire” is Palo Alto Networks own cloud-based service that integrates with the Palo Alto Firewall and provides detection and prevention of malware. The report does not state how Taomike is utilising the stolen messages. In Android version 4.4 (KitKat), Google began preventing apps from capturing SMS messages unless they were defined as the “default” SMS app.

The library from Taomike which is in question has been dubbed ‘zdtpay’, which is a component of the IAP system from Taomike. This library requires both SMS and network related permissions while downloading an app from an app store like Google Play. The library also registers a receiver name com.zdtpay.Rf2b for both SMS_RECEIVED and BOOT_COMPLETED actions. The Rf2b reads the messages when it hits the phone and collects both the message itself and the sender of the message. Also, if the device is rebooted, the MySd2e service is started to register a receiver for the Rf2b.

The collected SMS message information collected by the receiver is stored in a hashmap with ‘other’ as the key and then sent to a method that uploads the message to 112.126.69.51 address. The research states that the malicious library that is being used by Taomike is blindly fetching and uploading all SMS messages without any real purpose or use by a compromised phone.

The users who are not at risk because of this SMS Stealing library are:
  • Users from other countries than China.
  • Users that download apps only from the official Google Play store.
There may be a message here.