SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
26 Oct 2015

SMS stealing library found in Android applications

Roughly 18,000 Android applications built using the Taomike SDK, one of the largest mobile advertisement solution platforms in China, have been found to include SMS theft functionality.

The Taomike SDK, which helps developers display advertisements in their mobile apps, has been used in over 63,000 Android apps, but only around 18,000 of them have been observed to exhibit the message stealing functionality, according to Palo Alto Networks, which made the discovery.

The security firm also notes that these applications have been grabbing copies of all messages sent to infected devices since  August 1. The applications are being distributed through third-party mechanisms in China and are not available in the Google Play store, and all of them include specific library that enables the malicious behavior. This is the “zdtpay” SDK library, which is a component of Taomike’s in-app purchases (IAPs) system, and which has been designed to capture all messages from the affected device and send them to the company’s servers.

According to Palo Alto Networks, only a newer version of the Taomike SDK appears to include the nefarious library, namely those released around August 2015. Earlier SDK releases should be safe, given that they include the older version of the library, which explains why only some of the applications built with the SDK are compromised.

The SMS stealing functionality has been found inside applications that contain the embedded URL hxxp://112.126.69.51/2c.php, which represents the address to which the stolen messages are uploaded. The IP address in the URL belongs to the Taomike API server, and the company is using the server for other services as well. The offending library was found to request both network and SMS access permissions, as well as to register receiver name com.zdtpay.Rf2b for SMS_RECEIVED and BOOT_COMPLETED actions with high priority. The receiver Rf2b reads messages as soon as they arrive and collects both the message body and the sender, the security firm said.

Additionally, if the device is rebooted, the MySd2e service is started to register a receiver for the Rf2b. All of the collected SMS information is saved in a hashmap with “other” as the key and is uploaded to the 112.126.69.51 IP address. All of the messages received by the device are collected and uploaded, not only those that are relevant to the advertising platform.

Although only 18,000 applications using the Taomike SDK are known to steal SMS messages at the moment, their number might increase as more developers start using the newer version of the offending library. These applications are not limited to a single developer or third party store, as the advertising platform is highly popular in China.

The researchers at Palo Alto Networks explain that only users in China are affected at the moment, and that those who install software solely from the Google Play store are safe. Additionally, they note that with Android 4.4 KitKat Google started preventing applications from capturing SMS messages if they are not the default SMS application.

Monetization platforms represent a common way of boosting profits, especially since they offer libraries that developers can easily integrate into their applications. However, third-party advertising platforms are not always trustworthy, and developers using such solutions are advised to monitor their programs for abnormal behavior to ensure the safety of their users.

Earlier this month, the Kemoge malicious adware campaign was found infecting Android users in 20 countries through popular Android apps, including browsers, calculators, games, device lockers and sharing tools. Last month, a sophisticated CAPCHA-bypassing Android malware was discovered in games and apps in Google Play, estimated to have caused over $250,000 in loses.

Tags:
Android SMS China information leaks
Source:
SecurityWeek
2035
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015