Inside the Fake WeChat App That Promotes Porn: Hidden Mechanics Unveiled

Background: Recently, the Shadow Security Lab detected a counterfeit app named “Le Bao” that appears as a WeChat‑like chat software but actually promotes pornographic websites.

The app requires users to scan a specific QR code to join a group where porn live streams are hosted, making detection difficult and evading typical investigative methods.

This article discloses the app’s propagation methods, profit model, traceability analysis, and intelligence mining.

1. Sample Characteristics

1.1 Fake WeChat Interface, Packaged as Chat Software

The app imitates the WeChat UI; after registration it generates a random ID, allowing users to add friends and chat.

When a user inputs a friend ID, the client sends it to the server, receives the friend's account and avatar information, and displays it.

1.2 Specific QR‑Code Scanning to Join Groups for Porn Live Streams

The app only grants access to pornographic live streams after scanning a particular QR code; standard WeChat scanning cannot join the group, providing high concealment.

Scanning the QR code adds the user to a group that has grown to over 2,400 members.

Standard WeChat or camera scanning fails to join the group:

Code analysis shows the app uses a proprietary decoding method for covert propagation:

After scanning the QR code, the app checks for data prefixed with “##”; the string after “##” is the group name (e.g., “##mWII6O3” indicates group ID mWII6O3).

The app then contacts a specific URL to query group membership:

After receiving group info, it confirms joining via another endpoint:

1.3 Membership Recharge to Watch Porn Live Streams

The app itself does not provide live streaming; after joining the group, the group owner shares a business ID for users to purchase a membership, which then grants access to a porn website’s live streams.

The porn site also integrates online gambling; a 10‑yuan recharge allows users to watch live streams.

Website address: https://www.1****0.com/

The site also displays fake lottery winnings to lure users into online betting:

Furthermore, the creators use the app to recruit agents for arranging prostitution; agents receive a commission from the platform’s earnings.

2. Promotion Methods

2.1 Traditional Promotion

Traditional porn software spreads via cloud storage, websites, forums, third‑party ad plugins, malicious background downloads, and recruiting downstream agents.

2.2 Updated Promotion

The app’s covert promotion leverages network distribution to attract users to download the APK.

Distribution address: http://h****9.org/

The app’s concealment lies in:

The app appears as an ordinary chat tool.

Users cannot access porn content without scanning the specific QR code.

Agents can easily manage users and post illicit recruitment messages, with chats containing sensitive information.

3. Profit Model

The app’s revenue streams include host commissions, membership fees, and prostitution‑related earnings, with embedded gambling to further monetize users.

1) Hosts use the platform for porn live streams; the platform takes a fee.

2) Users must purchase a membership to watch porn live streams.

3) The platform publishes notices to arrange prostitution for profit.

4. Traceability Logic Diagram

The analysis traces server addresses, download links, distribution channels, payment methods, and social accounts.

5. Intelligence Line Mining System Expansion

5.1 Server Address Trace

Most illegal sites host servers abroad with strong concealment; no concrete information was found from the traced addresses.

Server responses often contain a URL such as http://ro8***oud-image.ro***ub.com/ where avatars and porn images are fetched.

Example porn images retrieved from the server:

Domain registration shows the provider “Beijing *** Xin Network Technology Co., Ltd.” offering an instant‑messaging SDK with lax content review.

The assistant ID used by a host reveals a phone number (1356***6666) still active in Sichuan.

5.2 Payment Trace

The porn site integrates multiple payment methods, currently supporting bank cards, Alipay, and WeChat Pay.

5.2.1 Bank Card & WeChat Pay

Only three bank cards are listed; the site does not actually open bank or WeChat transfer functions, but users can transfer via bank apps.

5.2.2 Alipay Small‑Amount Payments

Small payments use account 159***17660 (recipient: Wang *Long).

5.2.3 Alipay Large‑Amount Payments

Large payments use account gd***[email protected] (recipient: Yong’an City ** Street He *Yi Store).

5.3 Social Account Trace

During a chat with customer service, a QQ account (166***1688) was obtained; the QQ space shows the user residing in Penghua County, Taiwan.

6. Summary

The illegal porn promotion app employs a unique decoding and group‑joining mechanism, offering high concealment that thwarts typical investigative techniques. It scales via paid memberships, massive user bases, and embedded gambling, constituting serious criminal activity. Continuous monitoring and rapid response are essential to curb its spread.

7. Prevention and Handling Recommendations

Block malicious distribution addresses.

Block domains used within the app.

Increase monitoring to ensure immediate blocking upon detection.

Educate ordinary users to recognize such deceptive apps and adopt proactive security measures.