Analysis of the ‘Le Bao’ Fraudulent Chat Application Used for Pornographic Promotion

Background: The security lab detected a counterfeit application named "Le Bao" that appears as a chat software resembling WeChat but actually promotes a pornographic website. Users must scan a specific QR code to join a group where illicit content is shared, making detection difficult.

1. Sample Characteristics

1.1 Imitates WeChat Interface

The app mimics WeChat’s UI, allowing users to register, receive a random ID, and add friends for chatting.

When a user inputs a friend ID, the client sends it to the server, which returns the friend's account and avatar information for display.

1.2 QR‑Code Group Joining for Pornographic Live Streams

The app requires scanning a special QR code to join a group; only the app’s built‑in scanner can decode it, rendering the content invisible to standard WeChat scans.

Scanning with WeChat or a camera fails, as the app uses a proprietary decoding method.

The app extracts the group ID from data prefixed with "##" (e.g., "##mWII6O3").

1.3 Membership Payment to Access Pornographic Live Streams

After joining the group, users are prompted by agents to purchase a membership, which grants access to the pornographic website’s live streams.

The website also integrates online gambling and offers small‑amount payments (e.g., 10 CNY) to view streams.

2. Promotion Methods

2.1 Traditional Promotion

Typical pornographic software spreads via file sharing, web pages, forums, malicious plugins, and agent networks.

2.2 Updated Promotion

The "Le Bao" app hides its true purpose by appearing as a normal chat tool, then directs users to download the malicious APK and join hidden groups.

3. Profit Model

The app generates revenue through platform‑taken commissions from live stream hosts, membership fees, and facilitating illicit services such as online prostitution and gambling.

4. Traceability Logic Diagram

The analysis traces the app’s server addresses, download links, payment methods, and social accounts.

5. Intelligence Mining Extensions

5.1 Server Address Tracing

Most server responses contain a URL (e.g., http://ro8***oud-image.ro***ub.com/) that hosts user avatars and pornographic images.

The domain is registered to a Beijing‑based instant‑messaging cloud service provider that supplies an SDK with lax content moderation.

5.2 Payment Tracing

The site supports bank cards, Alipay, and WeChat Pay, but only a few bank cards are actually usable.

Large‑amount payments involve corporate accounts and personal Alipay accounts.

5.3 Social Account Tracing

A customer service QQ account (166***1688) was identified, showing a location in Taiwan.

6. Summary

The illicit pornographic promotion app employs a unique QR‑code decoding and group‑joining mechanism, making it highly covert. It monetizes through membership fees, live‑stream commissions, and ancillary services, representing a novel and large‑scale threat that requires intensified monitoring and rapid takedown.

7. Prevention and Response Recommendations

Block malicious domains and URLs.

Blacklist the app’s internal domain usage.

Increase monitoring to ensure immediate blocking upon detection.

Educate users to recognize and avoid such deceptive applications.