Technical information
Malicious functions:
Sends data about device contacts to a remote host.
Threat detection based on machine learning.
Network activity:
Connects to:
- UDP(DNS) 8####.8.4.4:53
- TCP(TLS/1.0) app.ad####.com:443
- TCP(TLS/1.0) as####.appl####.com:443
- TCP(TLS/1.0) r####.appl####.com:443
- TCP(TLS/1.0) adser####.go####.com:443
- TCP(TLS/1.0) a.appba####.com:443
- TCP(TLS/1.0) se####.appo####.com:443
- TCP(TLS/1.0) firebas####.google####.com:443
- TCP(TLS/1.0) adx.ads.vu####.com:443
- TCP(TLS/1.0) convers####.appsf####.com:443
- TCP(TLS/1.0) api.revenu####.com:443
- TCP(TLS/1.0) 1####.194.176.223:443
- TCP(TLS/1.0) pdn.appl####.com:443
- TCP(TLS/1.0) googl####.g.doublec####.net:443
- TCP(TLS/1.0) f.evere####.io:443
- TCP(TLS/1.0) api.appsfly####.com.####.net:443
- TCP(TLS/1.0) app-mea####.com:443
- TCP(TLS/1.0) img.appl####.com:443
- TCP(TLS/1.0) www.face####.com:443
- TCP(TLS/1.0) rt.appl####.com:443
- TCP(TLS/1.0) laun####.appsf####.com:443
- TCP(TLS/1.0) ms.appl####.com:443
- TCP(TLS/1.0) new.ads.vu####.com:443
- TCP(TLS/1.0) d.appl####.com:443
- TCP(TLS/1.2) 64.2####.164.94:443
- TCP(TLS/1.2) 1####.250.150.100:443
- TCP(TLS/1.2) 2####.85.233.101:443
- TCP(TLS/1.2) firebas####.google####.com:443
- TCP api.ampli####.com:443
- TCP firebas####.crashly####.com:443
DNS requests:
- a.appba####.com
- a4.appl####.com
- ads.api.vu####.com
- adser####.go####.com
- adx.ads.vu####.com
- api.ampli####.com
- api.revenu####.com
- app-mea####.com
- app.ad####.com
- as####.appl####.com
- cdn-set####.appsfly####.com
- convers####.appsf####.com
- d.appl####.com
- f.evere####.io
- firebas####.crashly####.com
- firebas####.google####.com
- firebas####.google####.com
- googl####.g.doublec####.net
- img.appl####.com
- laun####.appsf####.com
- ms.appl####.com
- new.ads.vu####.com
- pdn.appl####.com
- r####.appl####.com
- rt.appl####.com
- se####.appo####.com
- www.face####.com
- x.evere####.io
HTTP GET requests:
- adser####.go####.com:443/getconfig/pubvendors?pubs=####&es=####&plat=###...
- api.appsfly####.com.####.net:443/android/v1/991722b15dcc9fa40d174fdaa5b5...
- api.revenu####.com:443/v1/subscribers/$RCAnonymousID:e454f37d4a194099beb...
- app.ad####.com:443/attribution?device_type=####&gps_adid=####&environmen...
- f.evere####.io:443/track/v2/event?action_finish=####&context####&token=#...
- f.evere####.io:443/track/v2/event?hb_network=####&action_finish=####&con...
- new.ads.vu####.com:443/api/v5/new?ifa=####&app_id=####
HTTP POST requests:
- a.appba####.com:443/config
- a.appba####.com:443/consent/check
- a.appba####.com:443/get
- a.appba####.com:443/init
- a.appba####.com:443/install
- adx.ads.vu####.com:443/api/v5/ads
- app.ad####.com:443/sdk_click
- app.ad####.com:443/session
- convers####.appsf####.com:443/api/v6.9/androidevent?app_id=####&buildnum...
- f.evere####.io:443/auction/init
- f.evere####.io:443/auction/rtb/v3?mraidVer=####&vastVer=####
- firebas####.google####.com:443/v1/projects/469083709779/namespaces/fireb...
- firebas####.google####.com:443/v1/projects/469083709779/namespaces/firep...
- firebas####.google####.com:443/v1/projects/alarm-challenger/installations
- laun####.appsf####.com:443/api/v6.9/androidevent?app_id=####&buildnumber...
- ms.appl####.com:443/5.0/i?p=####
- new.ads.vu####.com:443/config
- se####.appo####.com:443/api/42/envelope/
File system changes:
Creates the following files:
- /data/data/####/.nomedia
- /data/data/####/.
- /data/data/####/.
- /data/data/####/.
- /data/data/####/. .flock (deleted)
- /data/data/####/.
- /data/data/####/. .flock (deleted)
- /data/data/####/04cfac10-3aeb-4f78-9a37-54b2e43ee0c4.envelope
- /data/data/####/1381250003_28x28.png
- /data/data/####/1661804530683.dex
- /data/data/####/1661804530683.dex.flock (deleted)
- /data/data/####/1661804530683.jar
- /data/data/####/1661804530683.tmp
- /data/data/####/1683382643590_300x300.png
- /data/data/####/1683634460613_300x300.png
- /data/data/####/1683824377842
- /data/data/####/1683824379196
- /data/data/####/1683824383956
- /data/data/####/645D1EE401B1-0001-0DC5-121F20CA36A5BeginSession.cls
- /data/data/####/645D1EE401B1-0001-0DC5-121F20CA36A5SessionApp.cls
- /data/data/####/645D1EE401B1-0001-0DC5-121F20CA36A5SessionDevice.cls
- /data/data/####/645D1EE401B1-0001-0DC5-121F20CA36A5SessionDevice.cls_temp
- /data/data/####/645D1EE401B1-0001-0DC5-121F20CA36A5SessionOS.cls
- /data/data/####/645D1EE401B1-0001-0DC5-121F20CA36A5SessionUser.cls
- /data/data/####/645D1EE70372-0001-0E3C-121F20CA36A5BeginSession.cls
- /data/data/####/645D1EE70372-0001-0E3C-121F20CA36A5BeginSession.cls_temp
- /data/data/####/645D1EE70372-0001-0E3C-121F20CA36A5SessionApp.cls
- /data/data/####/645D1EE70372-0001-0E3C-121F20CA36A5SessionDevice.cls_temp
- /data/data/####/645D1EE70372-0001-0E3C-121F20CA36A5SessionOS.cls
- /data/data/####/645D1EE70372-0001-0E3C-121F20CA36A5keys.meta
- /data/data/####/645D1EE70372-0001-0E3C-121F20CA36A5user.meta
- /data/data/####/7db242f64193f720_0
- /data/data/####/AdjustAttribution
- /data/data/####/AdjustIoActivityState
- /data/data/####/AdjustIoPackageQueue
- /data/data/####/AdjustSessionCallbackParameters
- /data/data/####/AdjustSessionPartnerParameters
- /data/data/####/BidMachinePref.xml
- /data/data/####/Cookies-journal
- /data/data/####/FBAdPrefs.xml
- /data/data/####/FirebaseHeartBeatW0RFRkFVTFRd+MTo0NjkwODM3MDk3N...A3.xml
- /data/data/####/FirebaseHeartBeatW0RFRkFVTFRd+MTo0NjkwODM3MDk3N...ml.bak
- /data/data/####/INSTALLATION
- /data/data/####/PersistedInstallation.W0RFRkFVTFRd+MTo0NjkwODM3...3.json
- /data/data/####/PersistedInstallation2135619445tmp
- /data/data/####/PersistedInstallation978985520tmp
- /data/data/####/WebViewChromiumPrefs.xml
- /data/data/####/adjust_preferences.xml
- /data/data/####/admob.xml
- /data/data/####/androidx.work.workdb-journal (deleted)
- /data/data/####/androidx.work.workdb.lck
- /data/data/####/app_set_id_storage.xml
- /data/data/####/appodeal.xml
- /data/data/####/appodeal.xml.bak
- /data/data/####/appsflyer-data.xml
- /data/data/####/appsflyer-data.xml.bak
- /data/data/####/audience_network.dex
- /data/data/####/audience_network.dex.flock (deleted)
- /data/data/####/closeOptOut.png
- /data/data/####/com.amplitude.api
- /data/data/####/com.amplitude.api-journal
- /data/data/####/com.amplitude.api.com.garageapp.alarmchallenges.xml
- /data/data/####/com.applovin.sdk.1.xml
- /data/data/####/com.applovin.sdk.preferences.8M_ro4EHQZexs13KI8...P7.xml
- /data/data/####/com.applovin.sdk.preferences.8M_ro4EHQZexs13KI8...ml.bak
- /data/data/####/com.applovin.sdk.shared.xml
- /data/data/####/com.applovin.sdk.shared.xml.bak
- /data/data/####/com.crashlytics.settings.json
- /data/data/####/com.facebook.ads.idfa.xml
- /data/data/####/com.facebook.sdk.appEventPreferences.xml
- /data/data/####/com.garageapp.alarmchallenges_preferences.xml
- /data/data/####/com.garageapp.alarmchallenges_preferences.xml.b...leted)
- /data/data/####/com.garageapp.alarmchallenges_preferences.xml.bak
- /data/data/####/com.garageapp.alarmchallenges_preferences_etags.xml
- /data/data/####/com.google.android.datatransport.events-journal
- /data/data/####/com.google.android.gms.appid-no-backup
- /data/data/####/com.google.android.gms.appid.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml.bak
- /data/data/####/com.google.firebase.crashlytics.xml
- /data/data/####/com.vungle.sdk.xml
- /data/data/####/com.vungle.sdk.xml.bak
- /data/data/####/crashlytics-userlog-645D1EE70372-0001-0E3C-121F...5.temp
- /data/data/####/dfe6b2497a7513ba_0
- /data/data/####/e7bbd655-34fb-4f9e-8719-003ba2cbd1c3.envelope
- /data/data/####/f038e94cb33282ab_0
- /data/data/####/f66d1f07-9e01-4f0c-b7e1-7b8d69eca014.envelope
- /data/data/####/frc_1;469083709779;android;e717b31725d0fd07_fir...e.json
- /data/data/####/frc_1;469083709779;android;e717b31725d0fd07_fir...gs.xml
- /data/data/####/frc_1;469083709779;android;e717b31725d0fd07_fir...h.json
- /data/data/####/frc_1;469083709779;android;e717b31725d0fd07_fir...ml.bak
- /data/data/####/frc_1;469083709779;android;e717b31725d0fd07_fir...s.json
- /data/data/####/freq.xml
- /data/data/####/freq_clicks.xml
- /data/data/####/generatefid.lock
- /data/data/####/google_app_measurement_local.db
- /data/data/####/google_app_measurement_local.db-journal
- /data/data/####/https_googleads.g.doubleclick.net_0.localstorage-journal
- /data/data/####/index
- /data/data/####/initialization_marker
- /data/data/####/metrics_guid
- /data/data/####/mobileads_consent.xml
- /data/data/####/mytarget_prefs.xml
- /data/data/####/persistent_postback_cache.json
- /data/data/####/proc_auxv
- /data/data/####/profileinstaller_profileWrittenFor_lastUpdateTime.dat
- /data/data/####/report
- /data/data/####/session.json
- /data/data/####/sound_off.png
- /data/data/####/sound_on.png
- /data/data/####/stack_analytics.sqlite
- /data/data/####/stack_analytics.sqlite-journal
- /data/data/####/stack_analytics.sqlite-journal (deleted)
- /data/data/####/stack_consent_file.xml
- /data/data/####/temp-index
- /data/data/####/the-real-index
- /data/data/####/user
- /data/data/####/vungle_db-journal
- /data/data/####/vungle_settings
- /data/data/####/vungle_settings (deleted)
- /data/media/####/log_168382438778701abef5e-7c7d-4b5a-9b64-1da935f915d3
- /data/misc/####/primary.prof
Miscellaneous:
Loads the following dynamic libraries:
- libconscrypt_gmscore_jni
- librealm-jni
Uses the following algorithms to encrypt data:
- AES-CBC-PKCS5Padding
Uses the following algorithms to decrypt data:
- AES-CBC-PKCS5Padding
Gets information about network.
Gets information about phone status (number, IMEI, etc.).
Gets information about active device administrators.
Displays its own windows over windows of other apps.
Sample from Google Play Store.