Android Analysis Report applinked.apk

AV Detection:

Multi AV Scanner detection for submitted file

Source: applinked.apk

ReversingLabs: Detection: 25%

Antivirus / Scanner detection for submitted sample

Source: applinked.apk

Avira: detected

Location Tracking:

Queries the phones location (GPS)

Source: b.b.b.l;->c:24	API Call: android.location.LocationManager.getLastKnownLocation
Source: b.b.b.l;->f:42	API Call: android.location.Location.getLatitude
Source: b.b.b.l;->f:43	API Call: android.location.Location.getLongitude
Source: b.b.b.l;->f:45	API Call: android.location.Location.getLatitude
Source: b.b.b.l;->f:46	API Call: android.location.Location.getLongitude
Source: b.b.b.l;->f:48	API Call: android.location.Location.getLatitude
Source: b.b.b.l;->f:49	API Call: android.location.Location.getLongitude

Privilege Escalation:

Requests root access

Source: Lc/d/c/l/h/g/l;->y(Landroid/content/Context;)Z	Method string: "/system/xbin/su"
Source: Lc/d/c/l/h/g/l;->m(Landroid/content/Context;)I	Method string: "/system/xbin/su"
Source: Lc/d/c/l/h/g/n;->S(Ljava/lang/String;)V	Method string: "/system/xbin/su"

Compliance:

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 142.250.185.170:443 -> 192.168.2.30:34832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.24.190.42:443 -> 192.168.2.30:45398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.160.10.227:443 -> 192.168.2.30:57338 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.67:443 -> 192.168.2.30:54584 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.39.15.132:443 -> 192.168.2.30:48608 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.24.190.42:443 -> 192.168.2.30:45408 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.39.15.132:443 -> 192.168.2.30:48620 version: TLS 1.2

Spreading:

Has permission to change the WIFI configuration including connecting and disconnecting

Source: submitted apk

Request permission: android.permission.CHANGE_WIFI_STATE

Accesses external storage location

Source: androidx.core.content.FileProvider;->g:63

API Call: android.os.Environment.getExternalStorageDirectory

Networking:

Checks an internet connection is available

Source: c.d.c.v.q0;->run:69	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.c.v.q0;->run:69	API Call: android.net.NetworkInfo.isConnected
Source: c.d.a.b.g.b.t9;->L:1017	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.a.b.g.b.t9;->L:1017	API Call: android.net.NetworkInfo.isConnected
Source: c.d.a.b.g.b.v3;->m:7	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.a.b.g.b.v3;->m:8	API Call: android.net.NetworkInfo.isConnected
Source: c.d.a.b.g.b.x4;->r:339	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.a.b.g.b.x4;->r:340	API Call: android.net.NetworkInfo.isConnected
Source: b.e0.y.m.f.e;->g:52	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: b.e0.y.m.f.e;->g:53	API Call: android.net.NetworkInfo.isConnected
Source: c.d.c.l.h.g.l;->c:21	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.c.l.h.g.l;->c:22	API Call: android.net.NetworkInfo.isConnectedOrConnecting
Source: c.d.a.a.i.d;->a:48	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.a.a.j.y.j.r;->a:38	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.a.a.j.y.j.r;->a:39	API Call: android.net.NetworkInfo.isConnected
Source: c.b.a.o.e;->l:9	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.b.a.o.e;->l:10	API Call: android.net.NetworkInfo.isConnected
Source: c.d.c.v.q0;->d:22	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.c.v.q0;->d:23	API Call: android.net.NetworkInfo.isConnected
Source: c.d.c.v.v0;->i:45	API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.c.v.v0;->i:46	API Call: android.net.NetworkInfo.isConnected

Opens an internet connection

Source: c.d.c.t.r.c;->l:207	API Call: java.net.URL.openConnection
Source: c.a.a.w.g;->f:71	API Call: java.net.URL.openConnection
Source: g.h0.j.b;->f:61	API Call: java.net.Socket.connect("10000")
Source: i.b.g.c$e;->u:137	API Call: java.net.URL.openConnection
Source: c.d.c.l.h.j.a;->c:62	API Call: java.net.URL.openConnection
Source: c.d.a.b.a.a.b;->run:18	API Call: java.net.URL.openConnection (not executed)
Source: c.g.a.e$c;->a:4	API Call: java.net.URL.openConnection (not executed)
Source: c.d.a.b.g.b.f7;->o:2	API Call: java.net.URL.openConnection (not executed)
Source: c.d.a.b.g.b.v3;->n:9	API Call: java.net.URL.openConnection (not executed)
Source: c.e.a.b.b$b;->a:6	API Call: java.net.URL.openConnection (not executed)
Source: c.e.a.b.b$b;->a:11	API Call: java.net.URL.openConnection (not executed)
Source: c.e.a.b.b$b;->a:14	API Call: java.net.URL.openConnection (not executed)
Source: c.d.a.a.i.d;->c:128	API Call: java.net.URL.openConnection (not executed)
Source: g.h0.j.h;->f:31	API Call: java.net.Socket.connect (not executed)
Source: c.b.a.n.n.j$a;->a:2	API Call: java.net.URL.openConnection (not executed)
Source: c.d.c.v.c0;->I:13	API Call: java.net.URL.openConnection (not executed)

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.30:56068 -> 8.8.4.4:853
Source: global traffic	TCP traffic: 192.168.2.30:53266 -> 154.16.200.215:7001

Performs DNS lookups (Java API)

Source: g.s$a$a;->a:4	API Call: java.net.InetAddress.getAllByName (URL: "apis.cyberprotector.online")
Source: c.d.d.w.n.n$o;->e:8	API Call: java.net.InetAddress.getByName (not executed)

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 39602 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54584 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 48620
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 45398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54604
Source: unknown	Network traffic detected: HTTP traffic on port 48608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 34832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 34844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 34832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 34854
Source: unknown	Network traffic detected: HTTP traffic on port 45398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57338
Source: unknown	Network traffic detected: HTTP traffic on port 34854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54584
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 45408
Source: unknown	Network traffic detected: HTTP traffic on port 48620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 34844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 48608
Source: unknown	Network traffic detected: HTTP traffic on port 57338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 45408 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54604 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50458 -> 443

Uses HTTP for connecting to the internet

Source: i.b.g.c$e;->x:207	API Call: com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect
Source: c.g.a.e$c;->a:7	API Call: java.net.HttpURLConnection.connect
Source: c.d.a.b.g.b.u3;->run:37	API Call: java.net.HttpURLConnection.connect
Source: c.d.c.l.h.j.a;->c:75	API Call: javax.net.ssl.HttpsURLConnection.connect
Source: c.b.a.n.n.j;->j:85	API Call: java.net.HttpURLConnection.connect

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown	TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.42
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown	TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown	TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown	TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown	TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown	TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown	TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown	TCP traffic detected without corresponding DNS query: 54.39.15.132
Source: unknown	TCP traffic detected without corresponding DNS query: 54.39.15.132
Source: unknown	TCP traffic detected without corresponding DNS query: 198.24.190.42

URLs found in memory or binary data

Source: MyriadPro-Regular.otf	String found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: MyriadPro-Regular.otf	String found in binary or memory: http://ocsp.geotrust.com0K
Source: $avd_hide_password__0.xml	String found in binary or memory: http://schemas.android.com/aapt
Source: material_timepicker.xml, mtrl_picker_header_title_text.xml, material_clock_period_toggle.xml, material_clock_period_toggle_land.xml, android	String found in binary or memory: http://schemas.android.com/apk/res-auto
Source: abc_background_cache_hint_selector_material_dark.xml, abc_btn_radio_material_anim.xml, material_timepicker.xml, mtrl_picker_header_title_text.xml, smart_material_spinner_dropdown_item_layout.xml, tooltip_frame_dark.xml, text_view_without_line_height.xml, mtrl_calendar_month.xml, material_clock_period_toggle.xml, abc_alert_dialog_button_bar_material.xml, abc_screen_content_include.xml, btn_checkbox_unchecked_to_checked_mtrl_animation.xml, abc_seekbar_track_material.xml, $avd_hide_password__0.xml, btn_checkbox_to_checked_box_outer_merged_animation.xml, abc_action_menu_item_layout.xml, material_clock_period_toggle_land.xml, test_toolbar_custom_background.xml, info_background_border_focused.xml, design_fab_show_motion_spec.xml, abc_alert_dialog_title_material.xml, android	String found in binary or memory: http://schemas.android.com/apk/res/android
Source: MyriadPro-Regular.otf	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MyriadPro-Regular.otf	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MyriadPro-Regular.otf	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: gen_rules_portuguese.txt	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MyriadPro-Regular.otf	String found in binary or memory: http://www.geotrust.com/resources/cps0(
Source: android	String found in binary or memory: https://CH-applinked.monetizeweb.io/frps/?get=1&cc=CH&pub=applinked&uid=4b107eea-62ff-4d03-8ce8-ec35
Source: android	String found in binary or memory: https://apis.cyberprotector.online/
Source: android	String found in binary or memory: https://apis.cyberprotector.online/...
Source: android	String found in binary or memory: https://apis.cyberprotector.online/applinked.php
Source: android	String found in binary or memory: https://app-measurement.com/a
Source: android	String found in binary or memory: https://applinked.monetizeweb.io/?regcc=1&pub=applinked&uid=4b107eea-62ff-4d03-8ce8-ec35279728ed&cid
Source: android	String found in binary or memory: https://applinked.store/version.php
Source: android	String found in binary or memory: https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/%s/settings
Source: android	String found in binary or memory: https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1:139259126181:android:abbd90
Source: android	String found in binary or memory: https://firebase.google.com/support/guides/disable-analytics
Source: android	String found in binary or memory: https://firebase.google.com/support/privacy/init-options.
Source: android	String found in binary or memory: https://firebaseinstallations.googleapis.com/v1/projects/newapplinked/installations
Source: README.md	String found in binary or memory: https://github.com/jhy/jsoup/blob/master/src/main/java/org/jsoup/examples/Wikipedia.java).
Source: README.md	String found in binary or memory: https://github.com/jhy/jsoup/tree/master/src/main/java/org/jsoup).
Source: android	String found in binary or memory: https://goo.gl/J1sWQy
Source: android	String found in binary or memory: https://goo.gl/NAOOOI
Source: android	String found in binary or memory: https://goo.gl/NAOOOI.
Source: android	String found in binary or memory: https://google.com/search?
Source: README.md	String found in binary or memory: https://html.spec.whatwg.org/multipage/)
Source: README.md	String found in binary or memory: https://jsoup.org/)
Source: README.md	String found in binary or memory: https://jsoup.org/apidocs/).
Source: README.md	String found in binary or memory: https://jsoup.org/bugs)
Source: README.md	String found in binary or memory: https://jsoup.org/colophon)
Source: README.md	String found in binary or memory: https://jsoup.org/cookbook/)
Source: README.md	String found in binary or memory: https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer)
Source: README.md	String found in binary or memory: https://jsoup.org/cookbook/extracting-data/selector-syntax)
Source: README.md	String found in binary or memory: https://jsoup.org/cookbook/input/parse-document-from-string)
Source: README.md	String found in binary or memory: https://jsoup.org/cookbook/modifying-data/set-html)
Source: README.md	String found in binary or memory: https://jsoup.org/discussion).
Source: README.md	String found in binary or memory: https://jsoup.org/download)
Source: README.md	String found in binary or memory: https://jsoup.org/license).
Source: android	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=gmob-apps
Source: android	String found in binary or memory: https://reports.crashlytics.com/sdk-api/v1/platforms/android/apps/%s/minidumps
Source: android	String found in binary or memory: https://reports.crashlytics.com/spi/v1/platforms/android/apps/%s/reports
Source: README.md	String found in binary or memory: https://travis-ci.org/jhy/jsoup)
Source: README.md	String found in binary or memory: https://travis-ci.org/jhy/jsoup.svg?branch=master)
Source: README.md	String found in binary or memory: https://try.jsoup.org/~LGB7rk_atM2roavV0d-czMt3J_g)
Source: android	String found in binary or memory: https://update.crashlytics.com/spi/v1/platforms/android/apps
Source: android	String found in binary or memory: https://update.crashlytics.com/spi/v1/platforms/android/apps/%s
Source: android	String found in binary or memory: https://www.google.com
Source: android	String found in binary or memory: https://www.google.com/
Source: android	String found in binary or memory: https://www.googleadservices.com/pagead/conversion/app/deeplink?id_type=adid&sdk_version=%s&rdid=%s&

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /c2dm/register3 HTTP/1.1Authorization: AidLogin 3976102378291501644:1184905049225720946app: com.google.android.gmsgcm_ver: 210214031User-Agent: Android-GCM/1.5 (x86 PI)content-length: 477content-type: application/x-www-form-urlencodedHost: android.clients.google.comConnection: Keep-AliveAccept-Encoding: gzip

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /version.php HTTP/1.1Accept-Encoding: gzipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36Authorization: Basic cGFyYW5vaWQ6YW5kcm9pZA==Host: applinked.storeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /spi/v2/platforms/android/gmp/1:139259126181:android:abbd90bc22b546eda2084c/settings?instance=c68684cf435bedcc0ac07429bd69b9dee65d0f54&build_version=110&display_version=1.1.0&source=4 HTTP/1.1X-CRASHLYTICS-DEVELOPER-TOKEN: 470fa2b4ae81cd56ecbcda9735803434cec591faX-CRASHLYTICS-DEVICE-MODEL: samsung/Galaxy NexusX-CRASHLYTICS-INSTALLATION-ID: b819f8db0b884de6bb614519185d47dfX-CRASHLYTICS-OS-DISPLAY-VERSION: 9Accept: application/jsonX-CRASHLYTICS-API-CLIENT-VERSION: 18.1.0User-Agent: Crashlytics Android SDK/18.1.0X-CRASHLYTICS-API-CLIENT-TYPE: androidX-CRASHLYTICS-GOOGLE-APP-ID: 1:139259126181:android:abbd90bc22b546eda2084cX-CRASHLYTICS-OS-BUILD-VERSION: eng.lh.20200325.125308Host: firebase-settings.crashlytics.comConnection: Keep-AliveAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /applinked.php HTTP/1.1Host: apis.cyberprotector.onlineConnection: Keep-AliveAccept-Encoding: gzipUser-Agent: okhttp/4.9.1
Source: global traffic	HTTP traffic detected: GET /frps/?get=1&cc=CH&pub=applinked&uid=4b107eea-62ff-4d03-8ce8-ec35279728ed&ver=2.0.16 HTTP/1.1User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; VMware Virtual Platform Build/PI)Host: ch-applinked.monetizeweb.ioConnection: Keep-AliveAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /applinked.php HTTP/1.1Host: apis.cyberprotector.onlineConnection: Keep-AliveAccept-Encoding: gzipUser-Agent: okhttp/4.9.1

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 142.250.185.170:443 -> 192.168.2.30:34832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.24.190.42:443 -> 192.168.2.30:45398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.160.10.227:443 -> 192.168.2.30:57338 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.67:443 -> 192.168.2.30:54584 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.39.15.132:443 -> 192.168.2.30:48608 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.24.190.42:443 -> 192.168.2.30:45408 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.39.15.132:443 -> 192.168.2.30:48620 version: TLS 1.2

E-Banking Fraud:

Has functionalty to add an overlay to other apps

Source: b.b.b.f;->z0:910	API Call: WindowManager.addView
Source: b.b.g.z0;->e:82	API Call: WindowManager.addView

Operating System Destruction:

Lists and deletes files in the same context

Source: c.d.c.l.h.k.g;->G:47	API Calls in same method context: File.listFiles,File.delete
Source: b.s.b;->s:421	API Calls in same method context: File.listFiles,File.delete
Source: c.b.a.l.c;->b:9	API Calls in same method context: File.listFiles,File.delete
Source: c.a.a.w.d;->f:135	API Calls in same method context: File.listFiles,File.delete
Source: b.s.a;->d:57	API Calls in same method context: File.listFiles,File.delete

Change of System Appearance:

May access the Android keyguard (lock screen)

Source: android

String found in binary or memory: keyguard

Acquires a wake lock

Source: b.o.a.a;->b:30	API Call: android.os.PowerManager$WakeLock.acquire
Source: b.e0.y.l.b.d;->f:88	API Call: android.os.PowerManager$WakeLock.acquire
Source: b.e0.y.l.b.e$a;->run:32	API Call: android.os.PowerManager$WakeLock.acquire
Source: b.e0.y.l.b.e;->l:108	API Call: android.os.PowerManager$WakeLock.acquire
Source: c.d.a.b.h.a;->a:68	API Call: android.os.PowerManager$WakeLock.acquire
Source: c.d.c.v.q0;->run:54	API Call: android.os.PowerManager$WakeLock.acquire
Source: c.d.c.v.v0;->run:52	API Call: android.os.PowerManager$WakeLock.acquire

System Summary:

APK is signed by a suspicious certificate

Source: APK Certificate

APK Parser: C=US,O=Android,CN=Android Debug C=US,O=Android,CN=Android Debug

Requests potentially dangerous permissions

Source: submitted apk	Request permission: android.permission.ACCESS_COARSE_LOCATION
Source: submitted apk	Request permission: android.permission.CHANGE_NETWORK_STATE
Source: submitted apk	Request permission: android.permission.CHANGE_WIFI_STATE
Source: submitted apk	Request permission: android.permission.INTERNET
Source: submitted apk	Request permission: android.permission.WAKE_LOCK
Source: submitted apk	Request permission: android.permission.WRITE_EXTERNAL_STORAGE

Kills/terminates processes

Source: com.jakewharton.processphoenix.ProcessPhoenix;->onCreate:6

API Call: android.os.Process.killProcess

Executes native commands

Source: c.g.a.f$a;->run:11	API Call: java.lang.ProcessBuilder.start
Source: c.g.a.h;->k:437	API Call: java.lang.Runtime.exec ("logcat -d ")

Reads shares settings

Source: c.d.c.l.h.m.d;->n:73	API Call: "existing_instance_identifier":
Source: c.d.c.l.h.g.y;->f:59	API Call: "firebase.installation.id": null
Source: c.d.c.v.o0;->d:16	API Call: "topic_operation_queue":
Source: c.d.c.t.q.b;->g:58	API Call: "|S|id": null
Source: c.d.c.v.p0;->d:43	API Call: "|T|139259126181|*": null
Source: c.d.c.t.q.b;->h:62	API Call: "|S||P|": null
Source: c.g.a.c;->a:6	API Call: "libra.publisher": null
Source: c.g.a.c;->a:6	API Call: "libra.countryid": null
Source: c.g.a.c;->a:6	API Call: "libra.uuid": null
Source: com.i4apps.newapplinked.MainActivity;->onCreate:187	API Call: "DEFAULTCODES": null
Source: c.d.a.b.g.b.e4;->t:106	API Call: "consent_settings": G1
Source: c.g.a.c;->b:8	API Call: "libra.publisher": applinked
Source: c.g.a.c;->b:8	API Call: "libra.countryid": CH
Source: c.g.a.c;->b:8	API Call: "libra.uuid": 4b107eea-62ff-4d03-8ce8-ec35279728ed
Source: c.g.a.c;->a:6	API Call: "libra.uuid": 4b107eea-62ff-4d03-8ce8-ec35279728ed
Source: c.g.a.c;->a:6	API Call: "libra.countryid": CH
Source: c.d.a.b.g.b.x4;->y:553	API Call: "gmp_app_id": null
Source: c.d.a.b.g.b.x4;->y:560	API Call: "admob_app_id": null
Source: c.d.a.b.g.b.d4;->a:6	API Call: "app_instance_id": null
Source: c.d.a.b.g.b.d4;->a:6	API Call: "firebase_feature_rollouts": null
Source: c.d.a.b.g.b.a7;->u:1095	API Call: "previous_os_version": null
Source: c.d.a.b.g.b.z3;->a:9	API Call: "default_event_parameters": null
Source: c.d.a.b.a.a.c;->c:19	API Call: "gads:ad_id_use_shared_preference:experiment_id":
Source: c.d.a.b.a.a.c;->a:9	API Call: android.content.SharedPreferences.getBoolean
Source: c.g.a.c;->e:12	API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.a7;->W:537	API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.b4;->b:53	API Call: android.content.SharedPreferences.getString
Source: c.d.a.b.g.b.e4;->j:39	API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.e4;->r:96	API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.i3;->o:281	API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.p8;->r:292	API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.y3;->a:6	API Call: android.content.SharedPreferences.getBoolean
Source: c.d.c.l.h.g.u;->b:32	API Call: android.content.SharedPreferences.getBoolean
Source: c.d.c.l.h.g.y;->l:115	API Call: android.content.SharedPreferences.getString
Source: com.google.firebase.messaging.FirebaseMessaging$a;->d:23	API Call: android.content.SharedPreferences.getBoolean
Source: b.e0.y.p.e;->b:10	API Call: android.content.SharedPreferences.getBoolean
Source: c.d.c.t.q.b;->i:70	API Call: android.content.SharedPreferences.getString
Source: c.d.c.u.a;->c:15	API Call: android.content.SharedPreferences.getBoolean
Source: c.d.c.v.e0;->a:16	API Call: android.content.SharedPreferences.getBoolean

Creates SQLiteDatabase table

Source: c.d.a.a.j.y.k.h0;->I:16	API Call: android.database.sqlite.SQLiteDatabase.execSQL
Source: c.d.a.a.j.y.k.h0;->N:30	API Call: android.database.sqlite.SQLiteDatabase.execSQL
Source: c.g.a.d;->onCreate:13	API Call: android.database.sqlite.SQLiteDatabase.execSQL

Classification label

Source: classification engine

Classification label: mal68.spyw.evad.andAPK@0/256@0/0

Found detection on Joe Sandbox Cloud Basic with higher score

Source: applinked.apk

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Data Obfuscation:

Obfuscates method names

Source: applinked.apk

Total valid method names: 19%

Found very long method strings

Source: Lc/d/a/b/c/w;->P()[B

Method string: 0\u0082\u0004\u00a80\u0082\u0003\u0090\u00a0\u0003\u0002\u0001\u0002\u0002\t\u0000\u00d5\u0085\u00b8l}\u00d3N\u00f50\r\u0006\t*\u0086H\u0086\u00f7\r\u0001\u0001\u0004\u0005\u00000\u0081\u00941\u000b0\t\u0006\u0003U\u0004\u0006\u0013\u0002US1\u00130\u0011\ Length: 4395

Uses reflection

Source: com.google.android.gms.dynamite.DynamiteModule;->a:28	API Call: Real call: public static final java.lang.String com.google.android.gms.dynamite.descriptors.com.google.android.gms.measurement.dynamite.ModuleDescriptor.MODULE_ID
Source: com.google.android.gms.dynamite.DynamiteModule;->e:143	API Call: Real call: public static java.lang.ClassLoader com.google.android.gms.dynamite.DynamiteModule$DynamiteLoaderClassLoader.sClassLoader
Source: b.z.a;->d:16	API Call: Real call: public static boolean android.os.Trace.isTagEnabled(long)
Source: b.b.g.b1;->c:22	API Call: androidx.appcompat.widget.FitWindowsLinearLayout.makeOptionalFitsSystemWindows
Source: b.b.g.b1;->c:22	API Call: Real call: public void android.view.ViewGroup.makeOptionalFitsSystemWindows()
Source: g.h0.j.i.h;->a:6	API Call: Real call: null
Source: g.h0.j.i.h;->a:6	API Call: Real call: public static dalvik.system.CloseGuard dalvik.system.CloseGuard.get()
Source: g.h0.j.i.h;->a:9	API Call: dalvik.system.CloseGuard.open
Source: g.h0.j.i.h;->a:9	API Call: Real call: public void dalvik.system.CloseGuard.open(java.lang.String)
Source: g.h0.j.i.f;->d:46	API Call: com.android.org.conscrypt.OpenSSLSocketImpl.setUseSessionTickets
Source: g.h0.j.i.f;->d:46	API Call: Real call: public abstract void com.android.org.conscrypt.OpenSSLSocketImpl.setUseSessionTickets(boolean)
Source: g.h0.j.i.f;->d:48	API Call: com.android.org.conscrypt.OpenSSLSocketImpl.setHostname
Source: g.h0.j.i.f;->d:48	API Call: Real call: public void com.android.org.conscrypt.OpenSSLSocketImpl.setHostname(java.lang.String)
Source: g.h0.j.i.f;->d:52	API Call: com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols
Source: g.h0.j.i.f;->d:52	API Call: Real call: public final void com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols(byte[])
Source: g.h0.j.i.f;->b:27	API Call: com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol
Source: g.h0.j.i.f;->b:27	API Call: Real call: public final byte[] com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol()
Source: c.d.a.b.g.b.f;->D:25	API Call: Real call: public static java.lang.String android.os.SystemProperties.get(java.lang.String,java.lang.String)
Source: c.d.a.b.g.b.i3;->o:253	API Call: Real call: null
Source: c.d.a.b.g.b.i3;->o:253	API Call: Real call: public static com.google.firebase.analytics.FirebaseAnalytics com.google.firebase.analytics.FirebaseAnalytics.getInstance(android.content.Context)
Source: c.d.a.b.g.b.i3;->o:256	API Call: com.google.firebase.analytics.FirebaseAnalytics.getFirebaseInstanceId
Source: c.d.a.b.g.b.i3;->o:256	API Call: Real call: public java.lang.String com.google.firebase.analytics.FirebaseAnalytics.getFirebaseInstanceId()
Source: c.d.a.b.f.e.m4;->O:68	API Call: Real call: java.lang.reflect.Field@fcb1899
Source: c.d.a.b.f.e.m4;->O:68	API Call: Real call: java.lang.reflect.Field@dc7373f
Source: b.a0.b0;->e:15	API Call: java.lang.reflect.Method.invoke
Source: androidx.activity.ImmLeaksCleaner;->d:17	API Call: java.lang.reflect.Field.get
Source: androidx.activity.ImmLeaksCleaner;->d:19	API Call: java.lang.reflect.Field.get
Source: b.h.b.b$c;->run:7	API Call: java.lang.reflect.Method.invoke
Source: b.h.b.b$c;->run:12	API Call: java.lang.reflect.Method.invoke
Source: b.h.b.b;->h:32	API Call: java.lang.reflect.Field.get
Source: b.h.b.b;->h:35	API Call: java.lang.reflect.Field.get
Source: b.h.b.b;->i:48	API Call: java.lang.reflect.Field.get
Source: b.h.b.b;->i:50	API Call: java.lang.reflect.Field.get
Source: b.h.b.b;->i:63	API Call: java.lang.reflect.Method.invoke
Source: b.b.b.h$a;->onClick:40	API Call: java.lang.reflect.Method.invoke
Source: b.b.b.j;->b:11	API Call: java.lang.reflect.Field.get
Source: b.b.b.j;->c:22	API Call: java.lang.reflect.Field.get
Source: b.b.b.j;->d:33	API Call: java.lang.reflect.Field.get
Source: b.b.b.j;->d:43	API Call: java.lang.reflect.Field.get
Source: b.b.b.j;->e:59	API Call: java.lang.reflect.Field.get
Source: c.d.a.b.g.b.a7;->Z:577	API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.g.b.f;->j:52	API Call: java.lang.reflect.Method.invoke
Source: b.h.c.c.f$b$a;->a:10	API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->a:27	API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:96	API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:100	API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:103	API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:107	API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:111	API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:115	API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:119	API Call: java.lang.reflect.Method.invoke
Source: b.c0.a;->K:14	API Call: java.lang.reflect.Method.invoke
Source: b.c0.a;->n:83	API Call: java.lang.reflect.Method.invoke
Source: com.google.android.material.chip.Chip;->m:254	API Call: java.lang.reflect.Field.get
Source: com.google.android.material.chip.Chip;->m:262	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.e;->k:6	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.e;->l:14	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.f;->k:21	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.f;->l:27	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.h;->l:9	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.g;->l:79	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.g;->p:81	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.g;->q:89	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.g;->r:95	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.j;->j:11	API Call: java.lang.reflect.Field.get
Source: b.h.d.g;->s:98	API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.d.b;->N:9	API Call: java.lang.reflect.Field.get
Source: c.d.a.b.f.d.y;-><clinit>:5	API Call: java.lang.reflect.Field.get
Source: androidx.core.graphics.drawable.IconCompat;->e:39	API Call: java.lang.reflect.Method.invoke
Source: androidx.core.graphics.drawable.IconCompat;->g:50	API Call: java.lang.reflect.Method.invoke
Source: androidx.core.graphics.drawable.IconCompat;->i:60	API Call: java.lang.reflect.Method.invoke
Source: androidx.core.graphics.drawable.IconCompat;->k:83	API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.dynamite.DynamiteModule;->a:30	API Call: java.lang.reflect.Field.get
Source: c.d.a.b.f.e.eb;->a:4	API Call: java.lang.reflect.Field.get
Source: c.d.a.b.f.e.f7;-><clinit>:5	API Call: java.lang.reflect.Field.get
Source: c.d.a.b.f.e.p8;->b:49	API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.f.e.q9;-><init>:8	API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.f.e.v0;->a:19	API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.f.e.v0;->a:29	API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.f.e.v8;->j:5	API Call: java.lang.reflect.Method.invoke
Source: b.b.f.g$a;->onMenuItemClick:21	API Call: java.lang.reflect.Method.invoke
Source: b.b.f.g$a;->onMenuItemClick:25	API Call: java.lang.reflect.Method.invoke
Source: b.b.g.b1;->a:10	API Call: java.lang.reflect.Method.invoke
Source: b.b.g.h0;->N:55	API Call: java.lang.reflect.Method.invoke
Source: b.b.g.h0;->f:117	API Call: java.lang.reflect.Method.invoke
Source: b.b.g.h0;->u:230	API Call: java.lang.reflect.Method.invoke
Source: b.b.g.j0;->U:15	API Call: java.lang.reflect.Method.invoke
Source: b.b.g.z;->o:25	API Call: java.lang.reflect.Method.invoke
Source: b.b.g.z;->u:242	API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.i.h;->b:12	API Call: java.lang.reflect.Method.invoke
Source: b.b.f.j.j;->h:58	API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.b$b;->a:10	API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.e$a;->invoke:44	API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.e;->b:17	API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.e;->e:33	API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.e;->g:40	API Call: java.lang.reflect.Method.invoke
Source: b.h.l.d0$a;->a:23	API Call: java.lang.reflect.Field.get
Source: b.h.l.d0$a;->a:25	API Call: java.lang.reflect.Field.get
Source: b.h.l.d0$a;->a:27	API Call: java.lang.reflect.Field.get
Source: b.h.l.d0$c;->e:11	API Call: java.lang.reflect.Field.get
Source: b.h.l.d0$g;->q:67	API Call: java.lang.reflect.Method.invoke
Source: b.h.l.d0$g;->q:72	API Call: java.lang.reflect.Field.get
Source: b.h.l.d0$g;->q:74	API Call: java.lang.reflect.Field.get
Source: b.h.l.f;->a:5	API Call: java.lang.reflect.Method.invoke
Source: b.h.l.f;->f:37	API Call: java.lang.reflect.Field.get
Source: b.h.l.w;->a:7	API Call: java.lang.reflect.Method.invoke
Source: b.h.l.v;->n:235	API Call: java.lang.reflect.Field.get
Source: b.h.d.l.a;->f:24	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.l.a;->m:45	API Call: java.lang.reflect.Method.invoke
Source: b.h.d.l.e;->isProjected:18	API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.c.l.p;->d:38	API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.c.l.p;->f:47	API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.c.l.p;->g:56	API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.c.l.p;->g:60	API Call: java.lang.reflect.Method.invoke
Source: b.h.m.c;->a:9	API Call: java.lang.reflect.Field.get
Source: b.h.m.h;->b:20	API Call: java.lang.reflect.Method.invoke
Source: b.h.m.i$a;->f:54	API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.measurement.AppMeasurement;->getInstance:11	API Call: java.lang.reflect.Method.invoke
Source: f.n.a;->a:7	API Call: java.lang.reflect.Method.invoke
Source: c.d.d.w.n.i$a;->b:7	API Call: java.lang.reflect.Field.get
Source: c.d.d.w.n.i$a;->c:16	API Call: java.lang.reflect.Field.get
Source: c.d.d.w.o.c;->d:11	API Call: java.lang.reflect.Field.get
Source: c.d.d.w.o.c;->e:29	API Call: java.lang.reflect.Method.invoke
Source: c.d.d.w.o.c;->e:39	API Call: java.lang.reflect.Method.invoke
Source: b.e0.y.p.f;->a:11	API Call: java.lang.reflect.Method.invoke
Source: b.p.a$b;->a:4	API Call: java.lang.reflect.Method.invoke
Source: b.p.a$b;->a:6	API Call: java.lang.reflect.Method.invoke
Source: b.p.a$b;->a:8	API Call: java.lang.reflect.Method.invoke
Source: b.s.a$a;->a:3	API Call: java.lang.reflect.Field.get
Source: b.s.a$a;->a:18	API Call: java.lang.reflect.Field.get
Source: b.s.a$a;->b:32	API Call: java.lang.reflect.Method.invoke
Source: b.s.a;->f:113	API Call: java.lang.reflect.Field.get
Source: c.d.d.w.m$a;->c:5	API Call: java.lang.reflect.Method.invoke
Source: c.d.d.w.m$b;->c:5	API Call: java.lang.reflect.Method.invoke
Source: c.d.d.w.m$c;->c:4	API Call: java.lang.reflect.Method.invoke
Source: c.d.d.w.m;->b:25	API Call: java.lang.reflect.Field.get
Source: c.d.d.w.m;->b:32	API Call: java.lang.reflect.Method.invoke
Source: androidx.appcompat.widget.SearchView$n;->a:17	API Call: java.lang.reflect.Method.invoke
Source: androidx.appcompat.widget.SearchView$n;->b:20	API Call: java.lang.reflect.Method.invoke
Source: androidx.appcompat.widget.SearchView$n;->c:24	API Call: java.lang.reflect.Method.invoke
Source: b.z.a;->e:26	API Call: java.lang.reflect.Method.invoke

Persistence and Installation Behavior:

Sets an intent to the APK data type (used to install other APKs)

Source: c.e.a.b.b;->a:10

API Call: android.content.Intent.setDataAndType(n/a,"application/vnd.android.package-archive")

Creates files

Source: c.d.c.l.h.m.a;->c:31

API Call: java.io.FileWriter.<init>

Boot Survival:

Starts/registers a service/receiver on phone boot (autostart)

Source: com.libravpn.libravpn.BootupReceiver;->onReceive:19	API Call: android.content.Context.startService (not executed)
Source: androidx.work.impl.background.systemalarm.RescheduleReceiver;->onReceive:17	API Call: android.content.Context.startService (not executed)

Installs a new wake lock (to get activate on phone screen on)

Source: b.o.a.a;->b:28	API Call: android.os.PowerManager.newWakeLock
Source: c.d.a.b.h.a;-><init>:26	API Call: android.os.PowerManager.newWakeLock
Source: b.e0.y.p.j;->b:26	API Call: android.os.PowerManager.newWakeLock
Source: c.d.c.v.q0;-><init>:11	API Call: android.os.PowerManager.newWakeLock
Source: c.d.c.v.v0;-><init>:6	API Call: android.os.PowerManager.newWakeLock

Has permission to execute code after phone reboot

Source: submitted apk

Request permission: android.permission.RECEIVE_BOOT_COMPLETED

Hooking and other Techniques for Hiding and Protection:

Queries list of running processes/tasks

Source: c.d.c.l.h.g.l;->j:67	API Call: android.app.ActivityManager.getRunningAppProcesses
Source: b.e0.y.p.f;->a:19	API Call: android.app.ActivityManager.getRunningAppProcesses
Source: c.d.c.v.c;->b:23	API Call: android.app.ActivityManager.getRunningAppProcesses

Uses Crypto APIs

Source: c.d.c.l.h.g.l;->u:146	API Call: java.security.MessageDigest.getInstance
Source: c.d.c.l.h.g.l;->u:147	API Call: java.security.MessageDigest.update
Source: c.d.c.l.h.g.l;->t:145	API Call: java.security.MessageDigest.digest
Source: c.d.c.l.h.g.l;->u:147	API Call: java.security.MessageDigest.update
Source: c.d.c.l.h.g.l;->t:145	API Call: java.security.MessageDigest.digest
Source: c.d.c.v.a0;->c:18	API Call: java.security.MessageDigest.getInstance
Source: c.d.c.v.a0;->h:86	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.c.l.a;->b:9	API Call: java.security.MessageDigest.getInstance
Source: c.d.c.t.r.c;->f:181	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.aa;->B:8	API Call: java.security.MessageDigest.getInstance
Source: c.d.a.b.g.b.i3;->o:215	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.v9;->H:329	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.v9;->H:329	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.v9;->H:329	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65	API Call: java.security.MessageDigest.digest
Source: c.g.a.h;->a:24	API Call: java.security.MessageDigest.getInstance
Source: c.g.a.h;->a:27	API Call: java.security.MessageDigest.digest
Source: c.b.a.n.o.b0.j$a;->b:4	API Call: java.security.MessageDigest.getInstance
Source: c.b.a.n.o.b0.j;->a:11	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.c.z;->e:11	API Call: java.security.MessageDigest.digest
Source: c.b.a.n.q.d.b0$a;->b:4	API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.b0$a;->b:12	API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.b0$b;->b:4	API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.b0$b;->b:12	API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.i;->a:6	API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.j;->a:6	API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.q;->a:6	API Call: java.security.MessageDigest.update
Source: c.d.c.l.h.g.l;->u:148	API Call: java.security.MessageDigest.digest
Source: h.h;->g:23	API Call: java.security.MessageDigest.getInstance
Source: h.h;->g:25	API Call: java.security.MessageDigest.digest
Source: h.x;->g:26	API Call: java.security.MessageDigest.getInstance
Source: h.x;->g:31	API Call: java.security.MessageDigest.update
Source: h.x;->g:32	API Call: java.security.MessageDigest.digest
Source: c.d.a.b.c.l.a;->a:8	API Call: java.security.MessageDigest.digest
Source: c.b.a.n.o.x;->a:13	API Call: java.security.MessageDigest.update
Source: c.b.a.n.o.x;->a:19	API Call: java.security.MessageDigest.update
Source: c.b.a.n.p.g;->a:12	API Call: java.security.MessageDigest.update
Source: c.d.c.t.q.b;->c:23	API Call: java.security.MessageDigest.getInstance
Source: c.d.c.t.q.b;->c:24	API Call: java.security.MessageDigest.digest
Source: c.b.a.s.b;->a:7	API Call: java.security.MessageDigest.update
Source: c.d.c.v.a0;->c:20	API Call: java.security.MessageDigest.digest

Malware Analysis System Evasion:

Executes logcat command

Source: c.g.a.h;->k:437

API Call: java.lang.Runtime.exec ("logcat -d ")

Accesses /proc

Source: Lc/d/c/l/h/g/l;->s()J	Method string: "/proc/meminfo"
Source: Lc/d/a/b/c/l/m;->b(I)Ljava/lang/String;	Method string: "/proc/"

Accesses android OS build fields

Source: com.google.firebase.FirebaseCommonRegistrar;->getComponents:45	Field Access: android.os.Build.PRODUCT
Source: com.google.firebase.FirebaseCommonRegistrar;->getComponents:50	Field Access: android.os.Build.DEVICE
Source: com.google.firebase.FirebaseCommonRegistrar;->getComponents:55	Field Access: android.os.Build.BRAND
Source: c.d.c.l.h.m.d;->j:23	Field Access: android.os.Build.MANUFACTURER
Source: c.d.c.l.h.m.d;->j:23	Field Access: android.os.Build.MODEL
Source: c.d.a.b.f.e.d6;->a:5	Field Access: android.os.Build.TYPE
Source: c.d.a.b.f.e.d6;->a:6	Field Access: android.os.Build.TAGS
Source: c.d.c.l.h.g.l;->y:175	Field Access: android.os.Build.PRODUCT
Source: b.b.b.f;-><clinit>:2	Field Access: android.os.Build.FINGERPRINT
Source: c.d.c.l.h.g.n;->S:224	Field Access: android.os.Build.TAGS
Source: c.d.c.l.h.g.l;->l:81	Field Access: android.os.Build.CPU_ABI
Source: c.d.c.l.h.g.n;->R:215	Field Access: android.os.Build.PRODUCT
Source: c.d.c.l.h.g.l;->m:83	Field Access: android.os.Build.PRODUCT
Source: c.d.c.l.h.g.l;->m:84	Field Access: android.os.Build.TAGS
Source: c.d.c.l.h.g.l;->x:167	Field Access: android.os.Build.PRODUCT
Source: c.d.c.l.h.g.l;->y:176	Field Access: android.os.Build.TAGS
Source: c.d.c.l.h.g.q;->d:22	Field Access: android.os.Build.CPU_ABI
Source: c.d.c.l.h.g.q;->p:205	Field Access: android.os.Build.MANUFACTURER
Source: c.d.c.l.h.g.q;->p:206	Field Access: android.os.Build.PRODUCT
Source: c.d.c.l.h.g.q;->p:209	Field Access: android.os.Build.MODEL
Source: c.d.a.b.g.b.t9;->j0:2642	Field Access: android.os.Build.MODEL
Source: c.d.a.b.g.b.t9;->j0:2647	Field Access: android.os.Build$VERSION.RELEASE
Source: c.b.a.n.q.d.r;->g:33	Field Access: android.os.Build.MODEL
Source: c.b.a.n.q.d.r;->h:57	Field Access: android.os.Build.MODEL
Source: c.b.a.n.q.d.z;-><clinit>:34	Field Access: android.os.Build.MODEL
Source: c.d.c.l.h.g.l$a;->e:31	Field Access: android.os.Build.CPU_ABI
Source: c.d.c.l.h.g.n;->R:209	Field Access: android.os.Build.MODEL
Source: c.d.c.l.h.g.n;->R:217	Field Access: android.os.Build.MANUFACTURER
Source: c.d.c.l.h.g.n;->R:218	Field Access: android.os.Build.PRODUCT
Source: c.d.c.l.h.g.n;->S:221	Field Access: android.os.Build$VERSION.RELEASE
Source: c.d.c.l.h.g.y;->h:104	Field Access: android.os.Build.MANUFACTURER
Source: c.d.c.l.h.g.y;->h:106	Field Access: android.os.Build.MODEL
Source: c.d.c.l.h.g.y;->j:112	Field Access: android.os.Build$VERSION.RELEASE
Source: c.d.a.a.i.d;->a:52	Field Access: android.os.Build.MODEL
Source: c.d.a.a.i.d;->a:58	Field Access: android.os.Build.DEVICE
Source: c.d.a.a.i.d;->a:61	Field Access: android.os.Build.PRODUCT
Source: c.d.a.a.i.d;->a:64	Field Access: android.os.Build.ID
Source: c.d.a.a.i.d;->a:67	Field Access: android.os.Build.MANUFACTURER
Source: c.d.a.a.i.d;->a:70	Field Access: android.os.Build.FINGERPRINT
Source: c.d.a.b.c.l.i;->b:9	Field Access: android.os.Build.TYPE
Source: c.d.a.c.r.e;->a:1	Field Access: android.os.Build.MANUFACTURER

Queries several sensitive phone informations

Source: Lc/d/c/l/h/i/a$h;-><clinit>()V	Method string: "os"
Source: Lc/d/a/b/f/e/n4;->Z(Lc/d/a/b/f/e/n4;)V	Method string: "android"
Source: Lg/u;->b(Ljava/security/cert/Certificate;)Ljava/lang/String;	Method string: "type"
Source: Lc/d/a/b/c/c;->toString()Ljava/lang/String;	Method string: "version"
Source: Lc/d/c/l/h/i/a$g;-><clinit>()V	Method string: "manufacturer"
Source: Lc/d/a/a/i/d;->h(Landroid/content/Context;)Landroid/telephony/TelephonyManager;	Method string: "phone"
Source: Lc/d/c/t/r/c;->b(Ljava/lang/String;Ljava/lang/String;)Lorg/json/JSONObject;	Method string: "appid"
Source: Lc/d/c/l/h/i/a$g;-><clinit>()V	Method string: "model"
Source: Li/b/j/h;-><clinit>()V	Method string: "time"
Source: Lc/d/c/q/f$a;-><clinit>()V	Method string: "sdk"

Queries the unique operating system id (ANDROID_ID)

Source: c.g.a.h;->j:410

API Call: android.provider.Settings$Secure.getString

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: android

Binary or memory string: VMware Virtual Platform

Anti Debugging:

Checks if debugger is running

Source: c.d.c.l.h.g.l;->w:162

API Call: android.os.Debug.isDebuggerConnected

Language, Device and Operating System Detection:

Queries the SIM provider numeric MCC+MNC (mobile country code + mobile network code)

Source: c.d.a.a.i.d;->a:92

API Call: android.telephony.TelephonyManager.getSimOperator

Checks if phone is rooted (checks for Superuser.apk)

Source: c.d.c.l.h.g.n;->S:224	API Call: java.io.File.<init>("/system/app/Superuser.apk")
Source: c.d.c.l.h.g.l;->m:84	API Call: java.io.File.<init>("/system/app/Superuser.apk")
Source: c.d.c.l.h.g.l;->y:180	API Call: java.io.File.<init>("/system/app/Superuser.apk")

Checks if phone is rooted (checks for test-keys build tags)

Source: c.d.a.b.f.e.d6;->a:14	API Call: java.lang.String.contains("test-keys")
Source: c.d.c.l.h.g.l;->y:178	API Call: java.lang.String.contains("test-keys")

Stealing of Sensitive Information:

Uploads sensitive phone information to the internet (privacy leak)

Source: 192.168.2.30:54584 -> 142.250.185.67:443

HTTP traffic detected: Header contains sensitive information: Galaxy Nexus (android.os.Build.TAGS)

Reads logcat

Source: c.g.a.h;->k:442

API Call: java.io.BufferedReader.readLine

Queries a list of installed applications

Source: c.g.a.h;->callHandler:167

API Call: android.content.pm.PackageManager.queryIntentActivities

Has permission to query the current location

Source: submitted apk

Request permission: android.permission.ACCESS_COARSE_LOCATION

Remote Access Functionality:

Found suspicious command strings (may be related to BOT commands)

Source: Landroidx/recyclerview/widget/RecyclerView$u;->C(Landroidx/recyclerview/widget/RecyclerView$c0;)V	Method string: "trying to recycle an ignored view holder. you should first call stopignoringview(view) before calling recycle."
Source: Landroidx/recyclerview/widget/GridLayoutManager;->G2(Z)V	Method string: "gridlayoutmanager does not support stack from end. consider using reverse layout"
Source: Lc/d/a/b/g/b/v5;-><clinit>()V	Method string: "app_update"
Source: Landroidx/recyclerview/widget/RecyclerView$u;->C(Landroidx/recyclerview/widget/RecyclerView$c0;)V	Instruction: "const-string v2, "trying to recycle an ignored view holder. you should first call stopignoringview(view) before calling recycle.""
Source: Lb/n/c/e;->E(Z)V	Instruction: ".param p1, "reversedflow" # z"
Source: Lc/d/a/b/g/b/v5;-><clinit>()V	Instruction: "const-string v15, "app_update""