Security Analysis of the “Le Bao” Fake Chat Application Used for Pornographic Promotion

1. Sample Characteristics

1.1 Imitated WeChat Interface

The app mimics WeChat’s UI, presenting itself as a simple chat client. After registration, each user receives a random ID that can be used to add friends and exchange messages.

Friend addition triggers a request that sends the friend ID to the server, which returns the friend's account and avatar information for display.

1.2 QR‑Code Group Joining for Pornographic Live Streams

The app requires scanning a specific QR code to join a group where pornographic live streams are hosted. The QR code can only be scanned with the app’s built‑in scanner; standard WeChat or camera scanners fail, providing high concealment.

Scanning the QR code reveals data prefixed with "##"; the suffix is the group ID (e.g., "##mWII6O3"). The app then contacts http://api.l***o98.com:8585/group/join to query the group and subsequently http://app.l***98.com/App/Group/query_group to confirm joining.

1.3 Membership Payment for Access to Pornographic Live Streams

After joining the group, agents post pornographic images to lure users into purchasing a membership. Paid members can log into the hidden porn website to watch live streams. A single 10‑yuan recharge grants access.

Website address (obfuscated): https://www.1****0.com/

The site also embeds online gambling, displaying fake winning notifications to entice users to gamble.

Additionally, the platform recruits agents for “network prostitution,” taking a commission from their earnings.

2. Promotion Methods

2.1 Traditional Promotion

Conventional porn software spreads via file‑sharing sites, web pages, forums, third‑party ad plugins, malicious background downloads, and recruitment of downstream agents.

2.2 Updated Promotion

The app distributes a download link (e.g., http://h****9.org/) that leads to the disguised chat client, which then covertly promotes the porn site.

Key concealment points:

The app appears as an ordinary chat tool.

Without scanning the specific QR code, users cannot access pornographic content.

Agents can manage users and broadcast illicit recruitment messages without restriction.

3. Profit Model

The revenue streams include platform‑taken cuts from live‑stream earnings, membership fees, and commissions from network‑based prostitution.

4. Traceability Logic Diagram

The investigation traces the app’s server addresses, download URLs, payment methods, and associated social accounts.

5. Intelligence‑Based Extension

5.1 Server Address Trace

Most servers are hosted abroad with strong obfuscation. The app retrieves avatars and porn images from http://ro8***oud-image.ro***ub.com/ . The domain is registered to a Beijing‑based instant‑messaging cloud provider, whose SDK is embedded in the app without strict content moderation.

Contact details (partially redacted) are listed, confirming the provider’s lax oversight.

5.2 Payment Trace

The site supports bank cards, Alipay, and WeChat Pay. Only a few bank cards are functional; larger payments use specific Alipay accounts.

5.3 Social Account Trace

A customer‑service QQ account (166***1688) was identified; the profile indicates residence in Taiwan.

6. Summary

The illicit “Le Bao” app employs a proprietary QR‑code decoding and group‑joining feature that provides high concealment, evading typical investigative techniques. It monetizes through paid porn livestreams, agent recruitment, and embedded gambling, representing a novel, large‑scale illegal content distribution channel that requires intensified monitoring and rapid takedown.

7. Prevention and Mitigation Recommendations

Block malicious distribution URLs and domains.

Blacklist the app’s embedded domain names.

Increase surveillance to ensure immediate blocking upon detection.

Educate end‑users to recognize and avoid such deceptive applications.