Alert! Over 18,000 Android apps are stealing your text messages

Mobile app developers are faced with the inevitable problem of how to make a profit, the most common way is to add ads to the app. Ad Federation creates a library of functions that allow developers to embed ads into them to start making money quickly. We have previously emphasized the dangers of installing these applications that use IAPs, because these apps are usually able to read all the text messages sent to the user's phone.

background information

Wildfire many of the mobile malware samples captured will intercept and upload text messages, most of which are developers who set up a command control server in a third-party host and frequently update their locations to evade detection.

Rice is a Chinese company whose goal is to become China's largest mobile advertising solution platform. They provide an SDK and a service to help developers display rich advertising content, previously Rice did not have related malicious behavior, but a recent version of the update has added a feature to steal SMS. It should be legal to embed in the app, and it has important features, but developers who choose the rice SDK will get themselves into a dangerous situation.

technical details

Not all applications that use the Rice SDK will steal user text messages, and our analysis suggests that only sample hxxp://112.126.69.51/2c.php with embedded URLs will have this feature. This URL is the address where the SMS is uploaded, and this IP address belongs to the Taomike API service. In our captured 63,000 Android app, there are 18,000 apps that contain this SMS-stealing feature.

We believe there are many versions of the Rice SDK, and only some of them will be uploading users ' text messages. Based on our data, the ability to steal SMS is only available in the new version released in August 2015, and the previous version of the SDK does not have this feature, so it is safe to use older versions of the user.

This rice guest library is called "Zdtpay" and is a component of the Taomike's IAP system.

We see from the manifest file that this library requires SMS and network permissions, and this library is also sms_received and boot_ Completed registered a receiver named COM.ZDTPAY.RF2B.

The message collected by the receiver is saved to HashMap and then uploaded to 112.126.69.51

The Rice Library also links the following URLs, but only "2c.php" is used to steal SMS messages, and the other paths are some of the other features of the library.

http://112.126.69.51/2c.php http://112.126.69.51/imei_mobile.php http://112.126.69.51/install_report.php/http 112.126.69.51/error.php http://112.126.69.51/rixian.php http://112.126.69.51/order_mo.php http://112.126.69.51/ order.php http://112.126.69.51/order_status.php http://112.126.69.51/tdstatus.php

Risk and Solutions

We still don't know rice to steal user's text message is to do what, but a library crawl SMS and upload real non-straight! In Android version 4.4, Google has started to block apps from stealing text messages, unless the app is a text-messaging program by default.

Users outside of China will not be exposed to such threats if they download apps from the official Google Play App Store. (FREEBUF)

Alert! Over 18,000 Android apps are stealing your text messages