A large number of third-party Android apps have reportedly been discovered grabbing copies of all text messages received or sent to infected devices and sending them to the attackers' server.

More than 63,000 Android applications use Taomike SDK – one of the biggest mobile advertisement solutions in China – to help developers display ads in their mobile apps and generate revenue.

However, around 18,000 of these Android apps contains a malicious code that spy on users text messages, according to researchers at Palo Alto Networks, who made the discovery.

Taomike provides a Software Development Toolkit (SDK) and services to the Android app developers using which they can:
  • Displaying advertisements to users
  • Offer in-app purchases (IAPs)

Android Apps Stealing SMS Messages

Focussing on distributing the app and techniques for building revenue, "Not all apps that use the Taomike library steal SMS messages," security researchers said.

The security researchers gave the following details:
  • The samples that contain the embedded URL, hxxp:// performs such functions.
  • The software sends SMS messages as well as the IP address belongs to the Taomike API server used by other Taomike services to the above URL.
  • More than 63,000 Android apps in WildFire include the Taomike library, but around 18,000 Android apps include the SMS stealing functionality since August 1, 2015.
  • Some of the infected apps even contain or display adult content.

"Wildfire" is Palo Alto Networks own cloud-based service that integrates with the Palo Alto Firewall and provides detection and prevention of malware.
It is still unclear how Taomike is using the stolen SMS messages; however, no library should copy all messages and send them to a system outside the device.

In Android version 4.4 (KitKat), Google began preventing apps from capturing SMS messages unless they were defined as the "default" SMS app.

How Does the Spying Attack Work?

The Taomike library, dubbed 'zdtpay', is a component of Taomike's IAP system.

This library requires both SMS and network related permissions while downloading an app. The library also registers a receiver name com.zdtpay.Rf2b for both SMS_RECEIVED and BOOT_COMPLETED actions.

The receiver Rf2b reads the messages as soon as they arrive in the phone and then collects both the message body as well as the sender.

Also, if the device is rebooted, the MySd2e service is started to register a receiver for the Rf2b.

SMS message information collected by the receiver is stored in a hashmap with 'other' as the key and then sent to a method that uploads the message to address.
The researchers claim that the library is blindly fetching and uploading all SMS messages received by infected phone and not just those that are relevant to Taomike's platform.

The users who are not at risk because of this SMS Stealing library are:
  • Users from other countries than China.
  • Users that download apps only from the official Google Play store.
As this threat is discovered with the current update of the library, researchers said that this SMS uploading behavior is not present in the earlier versions of the SDKs.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.