Security Analysis of the “Le Bao” Fake WeChat App Used for Pornographic Promotion

1. Sample Characteristics

1.1 Fake WeChat UI, presented as a chat tool

The app reproduces the WeChat interface, allowing users to register an account that generates a random ID; friends can be added by entering this ID, after which the client sends the ID to the server, receives the friend’s profile and avatar, and displays them.

Adding a friend triggers a data exchange where the client posts the friend ID to the server, which returns the friend’s account information and avatar for display.

1.2 QR‑code group joining to view pornographic live streams

The app can only access pornographic content after scanning a specific QR code that joins a hidden group; the QR code contains a "##" prefix followed by the group name (e.g., "##mWII6O3"). Standard WeChat or camera scanners cannot read it, making detection difficult.

After scanning, the app contacts http://api.l***o98.com:8585/group/join to query the group, then confirms the join via http://app.l***98.com/App/Group/query_group .

1.3 Membership purchase to watch pornographic live streams

The app itself does not provide live streaming; it merely directs users to a pornographic website where, after paying a membership fee (e.g., 10 CNY), they can watch live streams.

The website also embeds online gambling and offers agents the ability to recruit others, taking a commission on their earnings.

2. Promotion Methods

2.1 Traditional promotion

Conventional pornographic apps are spread via file‑sharing sites, web pages, forums, third‑party ad plugins, malicious software that silently downloads the app, and through recruited agents.

2.2 Updated promotion

The “Le Bao” app hides its malicious purpose behind a seemingly innocent chat interface, attracting users to download the APK from a concealed distribution URL (e.g., http://h****9.org/ ).

The app’s stealth is achieved by:

Presenting itself as a normal chat tool.

Requiring the proprietary QR‑code scan to join the porn group.

Allowing agents to manage users and publish illicit recruitment messages.

3. Profit Model

The application generates revenue through three main channels:

Platform‑taken commission from pornographic live streams.

Membership fees paid by users to view streams.

Revenue from illicit recruitment and online gambling.

4. Server‑Side Tracing

Most server responses contain a base URL http://ro8***oud-image.ro***ub.com/ , from which all avatars and pornographic images are fetched.

Domain registration points to “Beijing *** Xin Network Technology Co., Ltd.”, a provider of instant‑messaging cloud services whose SDK is embedded in the app without strict content moderation.

During the “add assistant” flow, the server returns a phone number (1356***6666) linked to a Sichuan location.

5. Payment Tracing

The website supports bank cards, Alipay, and WeChat Pay. Only a few bank cards are actually usable; the site also lists small‑amount Alipay accounts (e.g., 159***17660, holder Wang *Long) and large‑amount accounts (e.g., gd***[email protected], holder Yong’an ** Street He*Yi).

6. Social‑Account Tracing

A customer‑service QQ account (166***1688) was identified; the profile indicates the user resides in Taiwan.

7. Summary

The illicit “Le Bao” app employs a custom decoding and QR‑code group‑joining function, providing a highly concealed channel for pornographic live‑stream distribution and profit through membership fees, commissions, and gambling. Its large‑scale operation and evolving tactics demand intensified monitoring and rapid takedown.

8. Prevention and Response Recommendations

Block all malicious distribution URLs.

Blacklist the domains used within the app.

Increase surveillance to ensure immediate blocking of similar apps upon detection.

Educate end‑users to recognize deceptive applications and adopt safe browsing habits.