Researchers at Palo Alto Networks have came up with yet another story of Android malvertising. Palo Alto Network researchers claim that Wildfire, their famous cloud based malware analysis environment, have captured over 18,00 Android apps that contain a Chinese SDK. Wondering what's the news then? As we all know Chinese items are famous for their cheap but dirty behavior, this Chinese SDK steals SMS messages of Android users and send them to Controlled server of the company.

Chinese Taomike SDK was on Wildfire's Surveillance since August 01. The affected apps use this SDK for the purpose of providing Monetization platform for their app developer. These apps are not hosted on Google Play Store, but are distributed by the third-party distribution mechanisms in China.

Monetization is the necessary part of Android apps, as this is the only thing an app developer or company can earn. For monetization, two types of advertisements are being done these days, one is Advertisement displays and other is In-App Purchases (IAPs). The IAPs which occur through conventional process are not harmful but the IAPs that use SMS are harmful. Palo Alto already warned users regarding this threat.

Taomike SDK is one of the largest mobile monetization platform solution in China. Over 63, 000 apps have been found using this SDK but only 18,000 are caught exhibiting the SMS-stealing nature. Taomike SDK's "zdtpay" library is a component of IAP system, which is said to be responsible for this malicious behavior. It is specifically designed to capture all messages from the android device and send them to the company's servers.

According to the security firm, only the latest version of the SDK is found to be infected, while the previous versions have been marked safe as on now, given that they include the previous version of the library.

Technical Details

The SMS stealing functionality has been found inside applications that contain the embedded URL hxxp://112.126.69.51/2c.php, which represents the address to which the stolen messages are uploaded. The IP address in the URL belongs to the Taomike API server, and the company is using the server for other services as well.

The offending library was found to request both network and SMS access permissions, as well as to register receiver name com.zdtpay.Rf2b for SMS_RECEIVED and BOOT_COMPLETED actions with high priority. The receiver Rf2b reads messages as soon as they arrive and collects both the message body and the sender, the security firm said.

Additionally, if the device is rebooted, the MySd2e service is started to register a receiver for the Rf2b. All of the collected SMS information is saved in a hashmap with “other” as the key and is uploaded to the 112.126.69.51 IP address. All of the messages received by the device are collected and uploaded, not only those that are relevant to the advertising platform.

Although the number of affected devices is found to be small, but the researchers doubt there would be rise in this number as the developers start using the newer version of the SDK.

These applications are not limited to a single developer or third party store, as the advertising platform is highly popular in China.

The researchers at Palo Alto Networks explain that only users in China are affected at the moment, and that those who install software solely from the Google Play store are safe. Additionally, they note that with Android 4.4 KitKat Google started preventing applications from capturing SMS messages if they are not the default SMS application.