18,000 Android Apps include SMS stealing Library

Nearly 18,000 Android apps built using the Taomike SDK, and used in China, have been found to include a malicious SMS stealing library.

Bad news for Android users, according to according to Palo Alto Networks, nearly 18,000 Android Applications built using the Taomike SDK  have been found to include SMS Stealing Library.

The Taomike SDK is one of the largest mobile advertisement solution platforms in China, it allows developers to include advertising functionalities in their mobile apps. It has been estimated that it has been used in the development of advertising channels in over 63,000 Android apps.

There is more, the experts at Palo Alto Networks noticed that the mobile apps were making copies of all messages sent to infected devices since  August 1st.

The infected apps are being distributed through third-party stores in China, they include the malicious zdtpay” SDK library. The SMS Stealing Library is a component of Taomike’s in-app purchases (IAPs) system that has been designed to capture incoming messages from the mobile device.

“,we recently identified that the Chinese Taomike SDK has begun capturing copies of all messages received by the phone and sending them to a Taomike controlled server. Since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain this library. These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.” states Palo Alto Networks.

The experts discovered that only a newer version of the Taomike SDK includes the library, earlier SDK releases are not infected.

In particular, only the applications containing the embedded URL hxxp://112.126.69.51/2c.php include the malicious library, it is important to note that the address belongs the Taomike API server.

The SMS Stealing Library requests network and SMS access permissions to the users, it also registers a receiver named com.zdtpay.Rf2b for both the SMS_RECEIVED and BOOT_COMPLETED actions with the highest priority of 2147483647.

The receiver Rf2b is used to access all the incoming messages and collects both the message body and the sender.

The researchers at Palo Alto Networks highlighted that users with mobile devices running Android 4.4 KitKat are safe because it prevents applications from capturing SMS messages if they are not the default SMS application.

A great number of app developers try to monetize their efforts including advertising libraries in their code, however third-party advertising platforms could be exploited to serve malicious codes over a large number of devices.

Earlier this month, the experts at FireEye discovered another malicious code, the Kemoge adware that targeted once again Android users in dozens of countries.

The Kemoge malware is packaged with various popular Android mobile apps such as games, calculators and device lockers, which are deployed to third-party app stores. The threat actors behind the malicious campaign promoted the trojanized apps through in-app ads and download links posted on various websites.

Pierluigi Paganini

(Security Affairs – Android, SMS stealing library)