The whole idea of stealing messages comes from an entity bearing the name Taomike SDK, provided to Android app developers for displaying ads in their Android apps.
Taomike SDK is one of the largest advertisement providers in China using which Android Apps developers inflict and display an advertisement within their Android Apps and also offer IAPs (in-app purchases) and this way, the developers make money / generate revenue.
WHAT REALLY IS HAPPENING
What is basically thought/ found to be happening is that the newer versions of Taomike SDK have a malicious SMS stealing library as a part of it within the in-app purchases option.
Once the customer presses to one of these infected in-app purchases, the SMS stealing library does what it is designed to do: steal incoming messages from that particular mobile device.
These stolen messages are then uploaded to Taomike API Server.
Over 63000 Android Apps reportedly use this Advertisement giant Taomike SDK (software development kit).
And about 18000 android apps out of these 63000 are estimated to be infected with the SMS stealing library.
WHAT PALO ALTO RESEARCHERS SAY
“We recently identified that the Chinese Taomike SDK has begun capturing copies of all messages received by phone and sending them to a Taomike controlled server. Since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain this library. These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.”
Researchers at Palo Alto networks provide the following end result after their huge and revealing study.
- Only the Android Apps that contain the embedded URL given as hxxp://126.96.36.199/2c.php contain the SMS stealing library.
- This URL gets uploaded with the stolen messages.
- The IP Address in this URL belongs to Taomike API Server.
- You can even expect Adult content within these IAPs.
However, little is known about what Taomike really does with the stolen messages.
Good news: But the good news is that in all Android Versions 4.4 and above, Google can prevent apps that capture user SMS messages unless they are defined as “default” Android apps.
And of course, this malicious SMS stealing library is present only in the newer versions of Taomike SDK, all of its previous versions are safe and secure.
HOW THE MALICIOUS TO MAKE SDK WORKS
The SMS stealing library of Taomike SDK requests both SMS and Network access permissions while downloading any of the infected Android apps.
It registers the receiver name com.zdtpay.Rf2b for both the SMS_RECEIVED and BOOT_COMPLETED actions.
Rf2b does the job of reading the incoming messages collecting the message body and also the sender.
These stolen SMS messages are stored in a Hashmap and then sent to a method that uploads the message to 188.8.131.52 address.
TO WHOM IS TA MAKE SDK NOT A THREAT?
All the customers who live outside of China and all the people who only download Android apps (paid or free) only from Google Play Store.
WHAT NOT TO DO
Rip off app stores like Blackmart offer paid Play store android apps free of cost. But such too-good-to-be-true ap stores come with a lot of bugs and threats like the SMS stealing library of Taomike SDK.
Hence it is highly suggested to refrain from using such app stores.