A Chinese mobile advertising platform is distributing a malicious SDK (Software Development Kit) that helps developers implement in-app purchases (IAPs) for Android apps. This SDK secretly steals all SMS messages that arrive on infected phones.
The SDK is being offered as a free download by Chinese company Taomike, and can be used to allow Android developers to create mobile apps that provide in-app purchases via SMS messages.
According to Palo Alto Networks, the security vendor that discovered the SDK, only recent versions of the SDK seem to contain the SMS stealing functionality. This version was released in August 2015.
Right now, Palo Alto has detected over 63,000 Android apps containing the Taomike SDK, but only 18,000 include the recent malicious version of the SDK.
The developers of these apps are unaware that the library they used to power IAPs is actually stealing SMS messages (text body and sender number) and then uploading them to one of Toamike's servers, more specifically to 126.96.36.199/2c.php.
As Palo Alto staff explains, only this URL is responsible for gathering SMS messages. Tying the URL to Toamike was easy because it was also used to host other API functions.
All affected apps seem to be created only by Chinese developers, and none of them seems to be distributed via Google's official Play Store.
At the moment, Palo Alto has not been able to determine from their analysis what Taomike is using the stolen SMS messages for.
This revelation comes just two days after Apple banned 256 apps from the App Store for including a similar "malicious" API, which was collecting private information from iOS users. This violated Apple's privacy and security policy.
Just like in this case, the API belonged to a Chinese advertising company. The company's name was Youmi.