18,000 Android apps contain malicious code that Steals SMS messages

Android logoA Chinese mobile advertising platform is distributing a malicious SDK (Software Development Kit) that helps developers implement in-app purchases (IAPs) for Android apps. This SDK secretly steals all SMS messages that arrive on infected phones.

The SDK is being offered as a free download by Chinese company Taomike, and can be used to allow Android developers to create mobile apps that provide in-app purchases via SMS messages.

According to Palo Alto Networks, the security vendor that discovered the SDK, only recent versions of the SDK seem to contain the SMS stealing functionality. This version was released in August 2015.

Right now, Palo Alto has detected over 63,000 Android apps containing the Taomike SDK, but only 18,000 include the recent malicious version of the SDK.

18,000 Android apps contain malicious code that Steals SMS messages

The developers of these apps are unaware that the library they used to power IAPs is actually stealing SMS messages (text body and sender number) and then uploading them to one of Toamike's servers, more specifically to

As Palo Alto staff explains, only this URL is responsible for gathering SMS messages. Tying the URL to Toamike was easy because it was also used to host other API functions.

All affected apps seem to be created only by Chinese developers, and none of them seems to be distributed via Google's official Play Store.

At the moment, Palo Alto has not been able to determine from their analysis what Taomike is using the stolen SMS messages for.

This revelation comes just two days after Apple banned 256 apps from the App Store for including a similar "malicious" API, which was collecting private information from iOS users. This violated Apple's privacy and security policy.

Just like in this case, the API belonged to a Chinese advertising company. The company's name was Youmi.

Source: Softpedia

Tags: Android, security

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Galaxy Note10 really is built around a 6.7-inch display
You may still be able to download your content
Facebook, Messenger and Instagram are all going away
Minimize apps to a floating, always-on-top bubble
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apple’s 2018 line-up
The 2001 operating system has reached its lowest share level
The entire TSMC 5nm design infrastructure is available now from TSMC
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (15)