How a Fake WeChat App ‘LeBao’ Fuels Hidden Porn Networks – A Deep Dive

Background

Security researchers from the Shadow Security Lab recently detected a fraudulent app named “LeBao” that mimics WeChat’s interface. Although it appears as a simple chat client, the app covertly promotes pornographic websites, recruits users into illicit groups via QR‑code scans, and generates revenue through membership fees and online gambling.

1. Sample Characteristics

1.1 Fake WeChat UI

The app reproduces WeChat’s login and chat screens. After registration, each user receives a random ID that can be used to add friends and exchange messages.

1.2 QR‑Code Group Entry for Porn Live Streams

Only users who scan a specific QR code within the app can join a hidden group where pornographic live streams are shared. The QR code contains a “##” prefix followed by the group ID (e.g., ##mWII6O3). Scanning with standard WeChat fails, making detection difficult.

1.3 Custom Decoding Mechanism

The app uses its own decoding algorithm to interpret the QR‑code data, then contacts a server (http://api.l***98.com:8585/group/join) to retrieve group information and confirm membership.

2. Promotion Methods

2.1 Traditional Promotion

Conventional porn apps are spread via file‑sharing sites, forums, malicious plugins, and by recruiting downstream agents.

2.2 Updated Promotion

“LeBao” distributes a download link (http://h***9.org/) that leads users to install the app, which then silently directs them to the hidden porn ecosystem.

3. Profit Model

The application earns revenue through three main channels:

Platform fees from porn livestream hosts.

Membership payments required to view streams (e.g., ¥10 for access).

Facilitating online prostitution and gambling, with the platform taking a commission.

4. Payment Integration

The embedded porn site supports multiple payment methods, including bank cards, Alipay, and WeChat Pay. Small‑amount payments use personal Alipay accounts, while larger transactions involve corporate accounts.

5. Tracing and Attribution

Network analysis revealed server endpoints located in the United States, Luxembourg, and Hong Kong. The app embeds a third‑party instant‑messaging SDK (ro***ub) that supplies user avatars and pornographic images. Domain registration records point to a Beijing‑based company that provides the SDK but does not enforce content moderation.

6. Recommendations

Block malicious domains and URLs identified in the analysis.

Incorporate the app’s unique signatures into detection systems for rapid blocking.

Increase monitoring of similar illicit apps to prevent their spread.

Educate end‑users to recognize deceptive applications and avoid installing unknown software.