430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

18,000 Android Apps include SMS stealing Library

Nearly 18,000 Android apps built using the Taomike SDK, and used in China, have been found to include a malicious SMS stealing library. Bad news for Android users, according to according to Palo Alto Networks, nearly 18,000 Android Applications built using the Taomike SDK  have been found to include SMS Stealing Library. The Taomike SDK is one […]

Android Titan M chip

Nearly 18,000 Android apps built using the Taomike SDK, and used in China, have been found to include a malicious SMS stealing library.

Bad news for Android users, according to according to Palo Alto Networks, nearly 18,000 Android Applications built using the Taomike SDK  have been found to include SMS Stealing Library.

The Taomike SDK is one of the largest mobile advertisement solution platforms in China, it allows developers to include advertising functionalities in their mobile apps. It has been estimated that it has been used in the development of advertising channels in over 63,000 Android apps.

There is more, the experts at Palo Alto Networks noticed that the mobile apps were making copies of all messages sent to infected devices since  August 1st.

The infected apps are being distributed through third-party stores in China, they include the malicious zdtpay” SDK library. The SMS Stealing Library is a component of Taomike’s in-app purchases (IAPs) system that has been designed to capture incoming messages from the mobile device.

“,we recently identified that the Chinese Taomike SDK has begun capturing copies of all messages received by the phone and sending them to a Taomike controlled server. Since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain this library. These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.” states Palo Alto Networks.

The experts discovered that only a newer version of the Taomike SDK includes the library, earlier SDK releases are not infected.

In particular, only the applications containing the embedded URL hxxp://112.126.69.51/2c.php include the malicious library, it is important to note that the address belongs the Taomike API server.

The SMS Stealing Library requests network and SMS access permissions to the users, it also registers a receiver named com.zdtpay.Rf2b for both the SMS_RECEIVED and BOOT_COMPLETED actions with the highest priority of 2147483647.

The receiver Rf2b is used to access all the incoming messages and collects both the message body and the sender.

Toamike 2 sms stealing library

The researchers at Palo Alto Networks highlighted that users with mobile devices running Android 4.4 KitKat are safe because it prevents applications from capturing SMS messages if they are not the default SMS application.

A great number of app developers try to monetize their efforts including advertising libraries in their code, however third-party advertising platforms could be exploited to serve malicious codes over a large number of devices.

Earlier this month, the experts at FireEye discovered another malicious code, the Kemoge adware that targeted once again Android users in dozens of countries.

The Kemoge malware is packaged with various popular Android mobile apps such as games, calculators and device lockers, which are deployed to third-party app stores. The threat actors behind the malicious campaign promoted the trojanized apps through in-app ads and download links posted on various websites.

Pierluigi Paganini

(Security Affairs – Android, SMS stealing library)