Malware

Chinese Taomike Monetization Library Steals SMS Messages

Clock Icon 5 min read
Related Products

Mobile app creators are often looking for ways to monetize their software. One of the most common ways to do this is by displaying advertisements to users or by offering in-app purchases (IAPs). Mobile monetization platforms create software libraries that authors can embed into their apps to start earning money quickly. We previously highlighted the dangers of installing apps that enable IAPs using SMS messages, as these apps typically have access to all SMS messages sent to the phone.

While not all SMS-based IAP applications steal user data, we recently identified that the Chinese Taomike SDK has begun capturing copies of all messages received by the phone and sending them to a Taomike controlled server. Since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain this library. These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.

Background

WildFire captures many samples of mobile malware that intercept and upload SMS messages. Most of these are created by malware authors who set up command and control (C2) servers with third party hosting providers and frequently update their locations to avoid detection.

Among these malware we have found many that are created by “mobile monetization” companies who distribute apps that provide little value but have a high cost to the user. These apps are often installed by tricking users into clicking a pop-up, only to find later that a charge has appeared on their phone bill. Antivirus programs typically identify these apps as malware, the topic of this blog is something different and harder to detect.

Taomike is a Chinese company that aims to become the biggest mobile advertisement solution platform in China. They provide an SDK and services to help developers display rich advertisements with a high pay rate. Taomike has not previously been associated with malicious activity, but a recent update to their software added SMS theft functionality. The apps this library is embedded in may be legitimate and have significant functionality, but their developer’s choice to use this library has put them at risk.

Technical Details: SMS Theft

Not all apps that use the Taomike library steal SMS messages. Our analysis indicates that only samples that contain the embedded URL, hxxp://112.126.69.51/2c.php have this functionality. This is the URL to which the software uploads SMS messages, and the IP address belongs to the Taomike API server used by other Taomike services. We have captured around 63,000 Android apps in WildFire that include the Taomike library but only around 18,000 include the SMS theft functionality.  

We believe there are different versions of the Taomike SDK and only some of them include SMS uploading behavior. Based on our data, the version that contains the SMS stealing functions is newer and was released around August 2015. Apps that use earlier versions of the library appear to be safe.

The Taomike library is called “zdtpay” and is a component of Taomike’s IAP system.

Toamike 1

Because Android apps are required to list the permissions they need in their manifest file, we can see that this library requires both SMS and network related permissions. The library also registers a receiver named com.zdtpay.Rf2b for both the SMS_RECEIVED and BOOT_COMPLETED actions with highest priority of 2147483647.

Toamike 2Figure 1. Registered receiver for SMS_RECEIVED

The registered receiver Rf2b reads SMS messages whenever they arrive. The message body and sender phone number are collected as shown in Figure 2.

Toamike 3Figure 2. SMS body and sender number read

If the device has just booted, it will start the service MySd2e, which then registers a receiver for Rf2b as shown in Figure 3.

Toamike 4Figure 3. MySd2e Service registers receiver for Rf2b

SMS information collected by the receiver is saved in a hashmap with “other” as the key and sent to a method that uploads the message to 112.126.69.51 as shown in Figure 4.

Toamike 5Figure 4. Information uploaded to IP Address used by api.taomike.com

All SMS messages sent to the phone are uploaded, not just those that are relevant to Taomike’s platform. Figure 5 shows a packet capture of a test message upload. The message content is “hey test msg” as circled with dashed red box.

Toamike 6Figure 5. SMS uploaded via HTTP in pcap

The Taomike library makes contact with the following URLs, but only the “2c.php” path is used to capture SMS messages. The rest appear to be used for other parts of the IAP functionality in the library.

  • http://112.126.69.51/2c.php
  • http://112.126.69.51/imei_mobile.php
  • http://112.126.69.51/install_report.php
  • http://112.126.69.51/error.php
  • http://112.126.69.51/rixian.php
  • http://112.126.69.51/order_mo.php
  • http://112.126.69.51/order.php
  • http://112.126.69.51/order_status.php
  • http://112.126.69.51/tdstatus.php

Risks and Mitigation

We have captured over 18,000 samples that contain the SMS stealing library since August 2015, meaning the number of affected users is considerable. We expect the number of affected apps and users to increase as more developers incorporate the newer version of Taomike library.

The infected apps are not limited to a single developer or third party store as many developers appear use the Taomike library. Some of the infected apps purport to contain or display adult content.

We do not know how Taomike is using the stolen SMS messages, but no library should capture all messages and send them to a system outside the phone. In version 4.4 of Android (KitKat) Google began preventing apps from capturing SMS messages unless they were defined as the “default” SMS app.

Users outside of China and those that only download apps from the official Google Play store are not at risk from this threat.

To protect Palo Alto Networks customers from the Taomike SMS stealer, we’ve made the following protections available:

  • Palo Alto Networks WildFire will automatically identify and block malicious APK samples containing the SMS stealing Library
  • Threat Prevention signature 14798 will detect and block the malicious C2 communication, including the SMS upload traffic from Taomike library
  • Palo Alto Networks AutoFocus users can identify and investigate this threat using the Taomike tag

Conclusion

Even popular third party monetization platforms are not always trustworthy. When developers incorporate the libraries into their apps they need to carefully test them and monitor for any abnormal activities. Identifying monetization and advertising platforms that behave poorly and abuse their users is something that our industry must to do ensure the safety of all mobile devices and their users.

Acknowledgement

We greatly appreciate the help from Rongbo Shao from Palo Alto Networks in working on the Threat Prevention signature. We would also like to thank Ryan Olson, Benjamin Small, Richar Wartell, and Chris Clark from Palo Alto networks in publishing the discovery.

Related Sample Hash Values

d378409c7998dfc7d6688bd63831e54e293571cc96f6c5cc72981d9d9612daff
5cde5e36084a79de18d759be1b9d8017d4e2a3928cf429bcc633aedf03258bf3
71ff99dc77806ee0ee224ba3084bdf35aff5d75d58eee5cc3450ef1465b470fb
60d096c70cb3f799ffbbd91969165d40c2082ec2a48a1de4443ffa3da8a6f393
ea5023931f861f72c0125c2d945461130261f0e324393404a1e4387922315849
e9cd3684eae35d625887c731ca0e4734e8ff130811e081b67fdfcb10c0c20356
db7168198db54e040bc78e65c7d73f85b1bdfb8ba593201a1bfb1546ad4a9f09
c15a7f073e3d896b973c49d573d3836eab4992edc5493398b96885f16136de27
ad2e55a9fd2e2a75482342f67494f3ec7e0abd9385351b60c1b46c03032b7ab9
0b2efa549eec0fbf137475b5b8ca4832bcf2aaede29620b34581c5f9b8864104
3170e767ec86bec448fe78a3e6484b65048d09f579cf1276adc2c66f8a9ba8d2
8b3338b56178ae4517cf0de35189e5174d678af46bf691120011881094831f81
f08ab9b52324af7f70e9cd8a0ce376ff0191f22a3c87ded057a1d514de042d1b
60fec234fece534b6400d35844353158c54b49de9357f8d015e36c2053c465e5
76a0233fb468a219399df0f6dfcf20e53addd554e0f0857f2c6626d0a831e30e
cdcaced59f254acb13b830b9d64108029f1f44652fbba0f0d07b73e5bd733629
57c101e7e0b6adb0725241fa2e58f689e12ef76b837b3e631734b2ad8d85595c
c6bf1e7764e4dfa0b9f148089236e9edff914e1d022cf93776b834de1eb8e39c
99a4907b74574d2bbaeb83360da8f8b3b29805b941bc2b61f02f0e089e393225
5101e244452973f7bf54b1d21c67ce60f39961ecebb760f3bb22da09b8c197b8
5e4456ae3dc3f4241263448557a5107a934b2ff661d509de42d02a91f71cc18d
00776dbed469bb55afabfe94c70f4e09680fed9fadd69e1e415abcbdae7298f0
e9345cce7994d2b3cc23ed6fe8f744530f893c3c3d20c1d08ed99d0e1d7dab44
7e79bfe4642fb44742794d35cfa77553a2382aed23766dc5cf42ae0f05d166ab
a5a6cfc594a0891b0175ad6c79bee6d3654792e39f92f9b446e3764c5d6e5beb
3297a82541e0ba9b2e6c3c980b50b623503c9c22dfc79a97d843a4a457d71cff
23a944c5f58fb5aff1d5532b99ec5749db63ce373562da96e6747d5442a6cc79
209cada39642c581ca7732aa4695e885bc9e330d1f268890ed5439e643830df1
1c556aca39778255cdea10a4309a3b9f9790ccab7edd38ef04f80b0490942024
10459c84a7b7e0a76d3a22f5555f1628c8ffc0916d9b89952e817e97996156de
0f271cf83acc69aa831d4fb1688fee9a518ef86fbaf10b79337ad1408e2b18cd
41f5d3cf5d060914acadbbae8b26274e841a697edcf264240d46fd0519322ab8
17f1c075bc3a01c64d662bc470d2bbf20beffb3e2688f9e36ceefdc2b970ba18
06774c5288fb1d313d1e499b8a864b6dc35534f6707969bded8d3a8298460fbb
01728f7040d049f40b52bcf2380913cf88b4a43a4872abd72baf2a27b0b1b868
53323667a4a55b6d5d97db9bb629cfd7139b2f4d1f435f09882009c51d7ee85c
4a4fab4f13e44a4cc428a5efcc7b23523b7c9ebaa6cc3ca9de7b93d4aa44cc3f
4b0b177836ef763640c4f7d959e294bea464c9d68e5e32f125d4789c7370fe5d
231afbc703b0dea14f6d8830dddc1cfb7ae788f3037767fea0a7f7a91d041401
3677dfe67ba6e6c1ea342cc02c20182d948d05b218825d6f73f574637af6c3b1
7559f844a850ab2fc5a1c1731f6f29b9417a243674d5dbc77f6e5ab292a1f99f
ab8f77d54effa0efcf57ae28242439a3c5176f71a1ca043e61b9849482e7c512
789edaf569e41ad1dbe76d8a65647bce347e8367e76f95b7395ca9e8d101ddfd
abc7129f6ad5d30f146915e3be2041dc7516f4049eb20dca33040bc46ce72498
e37cdc1747dc39ccb3cc411b96e9b6d53d7c4da11933d0612173cf26a8f8c5f3
6ed47b7564c6e015cfe9c21d5aefdc555a8734cf6c85bf2929bf4331bb43084a
78940a88e6777b5daf001978eb16ac47ca152fa61016d62d5341eaaf8c037e6f
2631329044f0ef151ff21ccd24bb539cadc5a3b4f5c14bfda32b546d53c2f8f5
868db42e6c7c59df87ab615f6167a1fb581ceb044d3aa934468ca124a3895d05
81f26e2d2388e0eed8a5ca135b7855f9470ec8e2897df051823dcc04b880657b

 

Enlarged Image