Android Analysis Report applinked.apk

Overview

General Information

Sample Name: applinked.apk
Analysis ID: 514647
MD5: 41911bc2ace1b103171a0e04d47f8cd5
SHA1: 0c01cdcb40fb0ddf79a5fae64be294f9bb233cf5
SHA256: 286b7813276bd817ae15dcad1b458de4670d814deff3ad1d4e465c35c77707ec
Tags: apk
Infos:

Most interesting Screenshot:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
APK is signed by a suspicious certificate
Antivirus / Scanner detection for submitted sample
Uploads sensitive phone information to the internet (privacy leak)
Executes logcat command
Queries the SIM provider numeric MCC+MNC (mobile country code + mobile network code)
Queries list of running processes/tasks
Starts/registers a service/receiver on phone boot (autostart)
Checks if phone is rooted (checks for Superuser.apk)
Obfuscates method names
Installs a new wake lock (to get activate on phone screen on)
Found suspicious command strings (may be related to BOT commands)
Checks an internet connection is available
Reads logcat
Found very long method strings
Requests potentially dangerous permissions
Requests root access
Checks if phone is rooted (checks for test-keys build tags)
Queries the phones location (GPS)
Opens an internet connection
May access the Android keyguard (lock screen)
Checks if debugger is running
Lists and deletes files in the same context
Queries a list of installed applications
Detected TCP or UDP traffic on non-standard ports
Has functionalty to add an overlay to other apps
Accesses /proc
Kills/terminates processes
Accesses android OS build fields
Executes native commands
Has permission to change the WIFI configuration including connecting and disconnecting
Performs DNS lookups (Java API)
Queries several sensitive phone informations
Queries the unique operating system id (ANDROID_ID)
Sets an intent to the APK data type (used to install other APKs)
Has permission to execute code after phone reboot
Uses reflection

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: applinked.apk ReversingLabs: Detection: 25%
Antivirus / Scanner detection for submitted sample
Source: applinked.apk Avira: detected

Location Tracking:

barindex
Queries the phones location (GPS)
Source: b.b.b.l;->c:24 API Call: android.location.LocationManager.getLastKnownLocation
Source: b.b.b.l;->f:42 API Call: android.location.Location.getLatitude
Source: b.b.b.l;->f:43 API Call: android.location.Location.getLongitude
Source: b.b.b.l;->f:45 API Call: android.location.Location.getLatitude
Source: b.b.b.l;->f:46 API Call: android.location.Location.getLongitude
Source: b.b.b.l;->f:48 API Call: android.location.Location.getLatitude
Source: b.b.b.l;->f:49 API Call: android.location.Location.getLongitude

Privilege Escalation:

barindex
Requests root access
Source: Lc/d/c/l/h/g/l;->y(Landroid/content/Context;)Z Method string: "/system/xbin/su"
Source: Lc/d/c/l/h/g/l;->m(Landroid/content/Context;)I Method string: "/system/xbin/su"
Source: Lc/d/c/l/h/g/n;->S(Ljava/lang/String;)V Method string: "/system/xbin/su"
Source: unknown HTTPS traffic detected: 142.250.185.170:443 -> 192.168.2.30:34832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.24.190.42:443 -> 192.168.2.30:45398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 217.160.10.227:443 -> 192.168.2.30:57338 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.67:443 -> 192.168.2.30:54584 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.39.15.132:443 -> 192.168.2.30:48608 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.24.190.42:443 -> 192.168.2.30:45408 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.39.15.132:443 -> 192.168.2.30:48620 version: TLS 1.2

Spreading:

barindex
Has permission to change the WIFI configuration including connecting and disconnecting
Source: submitted apk Request permission: android.permission.CHANGE_WIFI_STATE
Source: androidx.core.content.FileProvider;->g:63 API Call: android.os.Environment.getExternalStorageDirectory

Networking:

barindex
Checks an internet connection is available
Source: c.d.c.v.q0;->run:69 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.c.v.q0;->run:69 API Call: android.net.NetworkInfo.isConnected
Source: c.d.a.b.g.b.t9;->L:1017 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.a.b.g.b.t9;->L:1017 API Call: android.net.NetworkInfo.isConnected
Source: c.d.a.b.g.b.v3;->m:7 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.a.b.g.b.v3;->m:8 API Call: android.net.NetworkInfo.isConnected
Source: c.d.a.b.g.b.x4;->r:339 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.a.b.g.b.x4;->r:340 API Call: android.net.NetworkInfo.isConnected
Source: b.e0.y.m.f.e;->g:52 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: b.e0.y.m.f.e;->g:53 API Call: android.net.NetworkInfo.isConnected
Source: c.d.c.l.h.g.l;->c:21 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.c.l.h.g.l;->c:22 API Call: android.net.NetworkInfo.isConnectedOrConnecting
Source: c.d.a.a.i.d;->a:48 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.a.a.j.y.j.r;->a:38 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.a.a.j.y.j.r;->a:39 API Call: android.net.NetworkInfo.isConnected
Source: c.b.a.o.e;->l:9 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.b.a.o.e;->l:10 API Call: android.net.NetworkInfo.isConnected
Source: c.d.c.v.q0;->d:22 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.c.v.q0;->d:23 API Call: android.net.NetworkInfo.isConnected
Source: c.d.c.v.v0;->i:45 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: c.d.c.v.v0;->i:46 API Call: android.net.NetworkInfo.isConnected
Opens an internet connection
Source: c.d.c.t.r.c;->l:207 API Call: java.net.URL.openConnection
Source: c.a.a.w.g;->f:71 API Call: java.net.URL.openConnection
Source: g.h0.j.b;->f:61 API Call: java.net.Socket.connect("10000")
Source: i.b.g.c$e;->u:137 API Call: java.net.URL.openConnection
Source: c.d.c.l.h.j.a;->c:62 API Call: java.net.URL.openConnection
Source: c.d.a.b.a.a.b;->run:18 API Call: java.net.URL.openConnection (not executed)
Source: c.g.a.e$c;->a:4 API Call: java.net.URL.openConnection (not executed)
Source: c.d.a.b.g.b.f7;->o:2 API Call: java.net.URL.openConnection (not executed)
Source: c.d.a.b.g.b.v3;->n:9 API Call: java.net.URL.openConnection (not executed)
Source: c.e.a.b.b$b;->a:6 API Call: java.net.URL.openConnection (not executed)
Source: c.e.a.b.b$b;->a:11 API Call: java.net.URL.openConnection (not executed)
Source: c.e.a.b.b$b;->a:14 API Call: java.net.URL.openConnection (not executed)
Source: c.d.a.a.i.d;->c:128 API Call: java.net.URL.openConnection (not executed)
Source: g.h0.j.h;->f:31 API Call: java.net.Socket.connect (not executed)
Source: c.b.a.n.n.j$a;->a:2 API Call: java.net.URL.openConnection (not executed)
Source: c.d.c.v.c0;->I:13 API Call: java.net.URL.openConnection (not executed)
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.30:56068 -> 8.8.4.4:853
Source: global traffic TCP traffic: 192.168.2.30:53266 -> 154.16.200.215:7001
Performs DNS lookups (Java API)
Source: g.s$a$a;->a:4 API Call: java.net.InetAddress.getAllByName (URL: "apis.cyberprotector.online")
Source: c.d.d.w.n.n$o;->e:8 API Call: java.net.InetAddress.getByName (not executed)
Source: unknown Network traffic detected: HTTP traffic on port 39602 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54584 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 48620
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 45398
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54604
Source: unknown Network traffic detected: HTTP traffic on port 48608 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 34832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 34844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 34832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 34854
Source: unknown Network traffic detected: HTTP traffic on port 45398 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57338
Source: unknown Network traffic detected: HTTP traffic on port 34854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54584
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 45408
Source: unknown Network traffic detected: HTTP traffic on port 48620 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 34844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 48608
Source: unknown Network traffic detected: HTTP traffic on port 57338 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 45408 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54604 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50458 -> 443
Source: i.b.g.c$e;->x:207 API Call: com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect
Source: c.g.a.e$c;->a:7 API Call: java.net.HttpURLConnection.connect
Source: c.d.a.b.g.b.u3;->run:37 API Call: java.net.HttpURLConnection.connect
Source: c.d.c.l.h.j.a;->c:75 API Call: javax.net.ssl.HttpsURLConnection.connect
Source: c.b.a.n.n.j;->j:85 API Call: java.net.HttpURLConnection.connect
Source: unknown TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.42
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.13.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.185.170
Source: unknown TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: unknown TCP traffic detected without corresponding DNS query: 54.39.15.132
Source: unknown TCP traffic detected without corresponding DNS query: 54.39.15.132
Source: unknown TCP traffic detected without corresponding DNS query: 198.24.190.42
Source: MyriadPro-Regular.otf String found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: MyriadPro-Regular.otf String found in binary or memory: http://ocsp.geotrust.com0K
Source: $avd_hide_password__0.xml String found in binary or memory: http://schemas.android.com/aapt
Source: material_timepicker.xml, mtrl_picker_header_title_text.xml, material_clock_period_toggle.xml, material_clock_period_toggle_land.xml, android String found in binary or memory: http://schemas.android.com/apk/res-auto
Source: abc_background_cache_hint_selector_material_dark.xml, abc_btn_radio_material_anim.xml, material_timepicker.xml, mtrl_picker_header_title_text.xml, smart_material_spinner_dropdown_item_layout.xml, tooltip_frame_dark.xml, text_view_without_line_height.xml, mtrl_calendar_month.xml, material_clock_period_toggle.xml, abc_alert_dialog_button_bar_material.xml, abc_screen_content_include.xml, btn_checkbox_unchecked_to_checked_mtrl_animation.xml, abc_seekbar_track_material.xml, $avd_hide_password__0.xml, btn_checkbox_to_checked_box_outer_merged_animation.xml, abc_action_menu_item_layout.xml, material_clock_period_toggle_land.xml, test_toolbar_custom_background.xml, info_background_border_focused.xml, design_fab_show_motion_spec.xml, abc_alert_dialog_title_material.xml, android String found in binary or memory: http://schemas.android.com/apk/res/android
Source: MyriadPro-Regular.otf String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MyriadPro-Regular.otf String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MyriadPro-Regular.otf String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: gen_rules_portuguese.txt String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MyriadPro-Regular.otf String found in binary or memory: http://www.geotrust.com/resources/cps0(
Source: android String found in binary or memory: https://CH-applinked.monetizeweb.io/frps/?get=1&cc=CH&pub=applinked&uid=4b107eea-62ff-4d03-8ce8-ec35
Source: android String found in binary or memory: https://apis.cyberprotector.online/
Source: android String found in binary or memory: https://apis.cyberprotector.online/...
Source: android String found in binary or memory: https://apis.cyberprotector.online/applinked.php
Source: android String found in binary or memory: https://app-measurement.com/a
Source: android String found in binary or memory: https://applinked.monetizeweb.io/?regcc=1&pub=applinked&uid=4b107eea-62ff-4d03-8ce8-ec35279728ed&cid
Source: android String found in binary or memory: https://applinked.store/version.php
Source: android String found in binary or memory: https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/%s/settings
Source: android String found in binary or memory: https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1:139259126181:android:abbd90
Source: android String found in binary or memory: https://firebase.google.com/support/guides/disable-analytics
Source: android String found in binary or memory: https://firebase.google.com/support/privacy/init-options.
Source: android String found in binary or memory: https://firebaseinstallations.googleapis.com/v1/projects/newapplinked/installations
Source: README.md String found in binary or memory: https://github.com/jhy/jsoup/blob/master/src/main/java/org/jsoup/examples/Wikipedia.java).
Source: README.md String found in binary or memory: https://github.com/jhy/jsoup/tree/master/src/main/java/org/jsoup).
Source: android String found in binary or memory: https://goo.gl/J1sWQy
Source: android String found in binary or memory: https://goo.gl/NAOOOI
Source: android String found in binary or memory: https://goo.gl/NAOOOI.
Source: android String found in binary or memory: https://google.com/search?
Source: README.md String found in binary or memory: https://html.spec.whatwg.org/multipage/)
Source: README.md String found in binary or memory: https://jsoup.org/)
Source: README.md String found in binary or memory: https://jsoup.org/apidocs/).
Source: README.md String found in binary or memory: https://jsoup.org/bugs)
Source: README.md String found in binary or memory: https://jsoup.org/colophon)
Source: README.md String found in binary or memory: https://jsoup.org/cookbook/)
Source: README.md String found in binary or memory: https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer)
Source: README.md String found in binary or memory: https://jsoup.org/cookbook/extracting-data/selector-syntax)
Source: README.md String found in binary or memory: https://jsoup.org/cookbook/input/parse-document-from-string)
Source: README.md String found in binary or memory: https://jsoup.org/cookbook/modifying-data/set-html)
Source: README.md String found in binary or memory: https://jsoup.org/discussion).
Source: README.md String found in binary or memory: https://jsoup.org/download)
Source: README.md String found in binary or memory: https://jsoup.org/license).
Source: android String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=gmob-apps
Source: android String found in binary or memory: https://reports.crashlytics.com/sdk-api/v1/platforms/android/apps/%s/minidumps
Source: android String found in binary or memory: https://reports.crashlytics.com/spi/v1/platforms/android/apps/%s/reports
Source: README.md String found in binary or memory: https://travis-ci.org/jhy/jsoup)
Source: README.md String found in binary or memory: https://travis-ci.org/jhy/jsoup.svg?branch=master)
Source: README.md String found in binary or memory: https://try.jsoup.org/~LGB7rk_atM2roavV0d-czMt3J_g)
Source: android String found in binary or memory: https://update.crashlytics.com/spi/v1/platforms/android/apps
Source: android String found in binary or memory: https://update.crashlytics.com/spi/v1/platforms/android/apps/%s
Source: android String found in binary or memory: https://www.google.com
Source: android String found in binary or memory: https://www.google.com/
Source: android String found in binary or memory: https://www.googleadservices.com/pagead/conversion/app/deeplink?id_type=adid&sdk_version=%s&rdid=%s&
Source: unknown HTTP traffic detected: POST /c2dm/register3 HTTP/1.1Authorization: AidLogin 3976102378291501644:1184905049225720946app: com.google.android.gmsgcm_ver: 210214031User-Agent: Android-GCM/1.5 (x86 PI)content-length: 477content-type: application/x-www-form-urlencodedHost: android.clients.google.comConnection: Keep-AliveAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /version.php HTTP/1.1Accept-Encoding: gzipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36Authorization: Basic cGFyYW5vaWQ6YW5kcm9pZA==Host: applinked.storeConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /spi/v2/platforms/android/gmp/1:139259126181:android:abbd90bc22b546eda2084c/settings?instance=c68684cf435bedcc0ac07429bd69b9dee65d0f54&build_version=110&display_version=1.1.0&source=4 HTTP/1.1X-CRASHLYTICS-DEVELOPER-TOKEN: 470fa2b4ae81cd56ecbcda9735803434cec591faX-CRASHLYTICS-DEVICE-MODEL: samsung/Galaxy NexusX-CRASHLYTICS-INSTALLATION-ID: b819f8db0b884de6bb614519185d47dfX-CRASHLYTICS-OS-DISPLAY-VERSION: 9Accept: application/jsonX-CRASHLYTICS-API-CLIENT-VERSION: 18.1.0User-Agent: Crashlytics Android SDK/18.1.0X-CRASHLYTICS-API-CLIENT-TYPE: androidX-CRASHLYTICS-GOOGLE-APP-ID: 1:139259126181:android:abbd90bc22b546eda2084cX-CRASHLYTICS-OS-BUILD-VERSION: eng.lh.20200325.125308Host: firebase-settings.crashlytics.comConnection: Keep-AliveAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /applinked.php HTTP/1.1Host: apis.cyberprotector.onlineConnection: Keep-AliveAccept-Encoding: gzipUser-Agent: okhttp/4.9.1
Source: global traffic HTTP traffic detected: GET /frps/?get=1&cc=CH&pub=applinked&uid=4b107eea-62ff-4d03-8ce8-ec35279728ed&ver=2.0.16 HTTP/1.1User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; VMware Virtual Platform Build/PI)Host: ch-applinked.monetizeweb.ioConnection: Keep-AliveAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /applinked.php HTTP/1.1Host: apis.cyberprotector.onlineConnection: Keep-AliveAccept-Encoding: gzipUser-Agent: okhttp/4.9.1
Source: unknown HTTPS traffic detected: 142.250.185.170:443 -> 192.168.2.30:34832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.24.190.42:443 -> 192.168.2.30:45398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 217.160.10.227:443 -> 192.168.2.30:57338 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.67:443 -> 192.168.2.30:54584 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.39.15.132:443 -> 192.168.2.30:48608 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.24.190.42:443 -> 192.168.2.30:45408 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.39.15.132:443 -> 192.168.2.30:48620 version: TLS 1.2

E-Banking Fraud:

barindex
Has functionalty to add an overlay to other apps
Source: b.b.b.f;->z0:910 API Call: WindowManager.addView
Source: b.b.g.z0;->e:82 API Call: WindowManager.addView

Operating System Destruction:

barindex
Lists and deletes files in the same context
Source: c.d.c.l.h.k.g;->G:47 API Calls in same method context: File.listFiles,File.delete
Source: b.s.b;->s:421 API Calls in same method context: File.listFiles,File.delete
Source: c.b.a.l.c;->b:9 API Calls in same method context: File.listFiles,File.delete
Source: c.a.a.w.d;->f:135 API Calls in same method context: File.listFiles,File.delete
Source: b.s.a;->d:57 API Calls in same method context: File.listFiles,File.delete

Change of System Appearance:

barindex
May access the Android keyguard (lock screen)
Source: android String found in binary or memory: keyguard
Source: b.o.a.a;->b:30 API Call: android.os.PowerManager$WakeLock.acquire
Source: b.e0.y.l.b.d;->f:88 API Call: android.os.PowerManager$WakeLock.acquire
Source: b.e0.y.l.b.e$a;->run:32 API Call: android.os.PowerManager$WakeLock.acquire
Source: b.e0.y.l.b.e;->l:108 API Call: android.os.PowerManager$WakeLock.acquire
Source: c.d.a.b.h.a;->a:68 API Call: android.os.PowerManager$WakeLock.acquire
Source: c.d.c.v.q0;->run:54 API Call: android.os.PowerManager$WakeLock.acquire
Source: c.d.c.v.v0;->run:52 API Call: android.os.PowerManager$WakeLock.acquire

System Summary:

barindex
APK is signed by a suspicious certificate
Source: APK Certificate APK Parser: C=US,O=Android,CN=Android Debug C=US,O=Android,CN=Android Debug
Requests potentially dangerous permissions
Source: submitted apk Request permission: android.permission.ACCESS_COARSE_LOCATION
Source: submitted apk Request permission: android.permission.CHANGE_NETWORK_STATE
Source: submitted apk Request permission: android.permission.CHANGE_WIFI_STATE
Source: submitted apk Request permission: android.permission.INTERNET
Source: submitted apk Request permission: android.permission.WAKE_LOCK
Source: submitted apk Request permission: android.permission.WRITE_EXTERNAL_STORAGE
Kills/terminates processes
Source: com.jakewharton.processphoenix.ProcessPhoenix;->onCreate:6 API Call: android.os.Process.killProcess
Executes native commands
Source: c.g.a.f$a;->run:11 API Call: java.lang.ProcessBuilder.start
Source: c.g.a.h;->k:437 API Call: java.lang.Runtime.exec ("logcat -d ")
Source: c.d.c.l.h.m.d;->n:73 API Call: "existing_instance_identifier":
Source: c.d.c.l.h.g.y;->f:59 API Call: "firebase.installation.id": null
Source: c.d.c.v.o0;->d:16 API Call: "topic_operation_queue":
Source: c.d.c.t.q.b;->g:58 API Call: "|S|id": null
Source: c.d.c.v.p0;->d:43 API Call: "|T|139259126181|*": null
Source: c.d.c.t.q.b;->h:62 API Call: "|S||P|": null
Source: c.g.a.c;->a:6 API Call: "libra.publisher": null
Source: c.g.a.c;->a:6 API Call: "libra.countryid": null
Source: c.g.a.c;->a:6 API Call: "libra.uuid": null
Source: com.i4apps.newapplinked.MainActivity;->onCreate:187 API Call: "DEFAULTCODES": null
Source: c.d.a.b.g.b.e4;->t:106 API Call: "consent_settings": G1
Source: c.g.a.c;->b:8 API Call: "libra.publisher": applinked
Source: c.g.a.c;->b:8 API Call: "libra.countryid": CH
Source: c.g.a.c;->b:8 API Call: "libra.uuid": 4b107eea-62ff-4d03-8ce8-ec35279728ed
Source: c.g.a.c;->a:6 API Call: "libra.uuid": 4b107eea-62ff-4d03-8ce8-ec35279728ed
Source: c.g.a.c;->a:6 API Call: "libra.countryid": CH
Source: c.d.a.b.g.b.x4;->y:553 API Call: "gmp_app_id": null
Source: c.d.a.b.g.b.x4;->y:560 API Call: "admob_app_id": null
Source: c.d.a.b.g.b.d4;->a:6 API Call: "app_instance_id": null
Source: c.d.a.b.g.b.d4;->a:6 API Call: "firebase_feature_rollouts": null
Source: c.d.a.b.g.b.a7;->u:1095 API Call: "previous_os_version": null
Source: c.d.a.b.g.b.z3;->a:9 API Call: "default_event_parameters": null
Source: c.d.a.b.a.a.c;->c:19 API Call: "gads:ad_id_use_shared_preference:experiment_id":
Source: c.d.a.b.a.a.c;->a:9 API Call: android.content.SharedPreferences.getBoolean
Source: c.g.a.c;->e:12 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.a7;->W:537 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.b4;->b:53 API Call: android.content.SharedPreferences.getString
Source: c.d.a.b.g.b.e4;->j:39 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.e4;->r:96 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.i3;->o:281 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.p8;->r:292 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.b.g.b.y3;->a:6 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.c.l.h.g.u;->b:32 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.c.l.h.g.y;->l:115 API Call: android.content.SharedPreferences.getString
Source: com.google.firebase.messaging.FirebaseMessaging$a;->d:23 API Call: android.content.SharedPreferences.getBoolean
Source: b.e0.y.p.e;->b:10 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.c.t.q.b;->i:70 API Call: android.content.SharedPreferences.getString
Source: c.d.c.u.a;->c:15 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.c.v.e0;->a:16 API Call: android.content.SharedPreferences.getBoolean
Source: c.d.a.a.j.y.k.h0;->I:16 API Call: android.database.sqlite.SQLiteDatabase.execSQL
Source: c.d.a.a.j.y.k.h0;->N:30 API Call: android.database.sqlite.SQLiteDatabase.execSQL
Source: c.g.a.d;->onCreate:13 API Call: android.database.sqlite.SQLiteDatabase.execSQL
Source: classification engine Classification label: mal68.spyw.evad.andAPK@0/256@0/0
Source: applinked.apk Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link

Data Obfuscation:

barindex
Obfuscates method names
Source: applinked.apk Total valid method names: 19%
Found very long method strings
Source: Lc/d/a/b/c/w;->P()[B Method string: 0\u0082\u0004\u00a80\u0082\u0003\u0090\u00a0\u0003\u0002\u0001\u0002\u0002\t\u0000\u00d5\u0085\u00b8l}\u00d3N\u00f50\r\u0006\t*\u0086H\u0086\u00f7\r\u0001\u0001\u0004\u0005\u00000\u0081\u00941\u000b0\t\u0006\u0003U\u0004\u0006\u0013\u0002US1\u00130\u0011\ Length: 4395
Uses reflection
Source: com.google.android.gms.dynamite.DynamiteModule;->a:28 API Call: Real call: public static final java.lang.String com.google.android.gms.dynamite.descriptors.com.google.android.gms.measurement.dynamite.ModuleDescriptor.MODULE_ID
Source: com.google.android.gms.dynamite.DynamiteModule;->e:143 API Call: Real call: public static java.lang.ClassLoader com.google.android.gms.dynamite.DynamiteModule$DynamiteLoaderClassLoader.sClassLoader
Source: b.z.a;->d:16 API Call: Real call: public static boolean android.os.Trace.isTagEnabled(long)
Source: b.b.g.b1;->c:22 API Call: androidx.appcompat.widget.FitWindowsLinearLayout.makeOptionalFitsSystemWindows
Source: b.b.g.b1;->c:22 API Call: Real call: public void android.view.ViewGroup.makeOptionalFitsSystemWindows()
Source: g.h0.j.i.h;->a:6 API Call: Real call: null
Source: g.h0.j.i.h;->a:6 API Call: Real call: public static dalvik.system.CloseGuard dalvik.system.CloseGuard.get()
Source: g.h0.j.i.h;->a:9 API Call: dalvik.system.CloseGuard.open
Source: g.h0.j.i.h;->a:9 API Call: Real call: public void dalvik.system.CloseGuard.open(java.lang.String)
Source: g.h0.j.i.f;->d:46 API Call: com.android.org.conscrypt.OpenSSLSocketImpl.setUseSessionTickets
Source: g.h0.j.i.f;->d:46 API Call: Real call: public abstract void com.android.org.conscrypt.OpenSSLSocketImpl.setUseSessionTickets(boolean)
Source: g.h0.j.i.f;->d:48 API Call: com.android.org.conscrypt.OpenSSLSocketImpl.setHostname
Source: g.h0.j.i.f;->d:48 API Call: Real call: public void com.android.org.conscrypt.OpenSSLSocketImpl.setHostname(java.lang.String)
Source: g.h0.j.i.f;->d:52 API Call: com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols
Source: g.h0.j.i.f;->d:52 API Call: Real call: public final void com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols(byte[])
Source: g.h0.j.i.f;->b:27 API Call: com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol
Source: g.h0.j.i.f;->b:27 API Call: Real call: public final byte[] com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol()
Source: c.d.a.b.g.b.f;->D:25 API Call: Real call: public static java.lang.String android.os.SystemProperties.get(java.lang.String,java.lang.String)
Source: c.d.a.b.g.b.i3;->o:253 API Call: Real call: null
Source: c.d.a.b.g.b.i3;->o:253 API Call: Real call: public static com.google.firebase.analytics.FirebaseAnalytics com.google.firebase.analytics.FirebaseAnalytics.getInstance(android.content.Context)
Source: c.d.a.b.g.b.i3;->o:256 API Call: com.google.firebase.analytics.FirebaseAnalytics.getFirebaseInstanceId
Source: c.d.a.b.g.b.i3;->o:256 API Call: Real call: public java.lang.String com.google.firebase.analytics.FirebaseAnalytics.getFirebaseInstanceId()
Source: c.d.a.b.f.e.m4;->O:68 API Call: Real call: java.lang.reflect.Field@fcb1899
Source: c.d.a.b.f.e.m4;->O:68 API Call: Real call: java.lang.reflect.Field@dc7373f
Source: b.a0.b0;->e:15 API Call: java.lang.reflect.Method.invoke
Source: androidx.activity.ImmLeaksCleaner;->d:17 API Call: java.lang.reflect.Field.get
Source: androidx.activity.ImmLeaksCleaner;->d:19 API Call: java.lang.reflect.Field.get
Source: b.h.b.b$c;->run:7 API Call: java.lang.reflect.Method.invoke
Source: b.h.b.b$c;->run:12 API Call: java.lang.reflect.Method.invoke
Source: b.h.b.b;->h:32 API Call: java.lang.reflect.Field.get
Source: b.h.b.b;->h:35 API Call: java.lang.reflect.Field.get
Source: b.h.b.b;->i:48 API Call: java.lang.reflect.Field.get
Source: b.h.b.b;->i:50 API Call: java.lang.reflect.Field.get
Source: b.h.b.b;->i:63 API Call: java.lang.reflect.Method.invoke
Source: b.b.b.h$a;->onClick:40 API Call: java.lang.reflect.Method.invoke
Source: b.b.b.j;->b:11 API Call: java.lang.reflect.Field.get
Source: b.b.b.j;->c:22 API Call: java.lang.reflect.Field.get
Source: b.b.b.j;->d:33 API Call: java.lang.reflect.Field.get
Source: b.b.b.j;->d:43 API Call: java.lang.reflect.Field.get
Source: b.b.b.j;->e:59 API Call: java.lang.reflect.Field.get
Source: c.d.a.b.g.b.a7;->Z:577 API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.g.b.f;->j:52 API Call: java.lang.reflect.Method.invoke
Source: b.h.c.c.f$b$a;->a:10 API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->a:27 API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:96 API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:100 API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:103 API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:107 API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:111 API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:115 API Call: java.lang.reflect.Method.invoke
Source: b.f.c.a;->c:119 API Call: java.lang.reflect.Method.invoke
Source: b.c0.a;->K:14 API Call: java.lang.reflect.Method.invoke
Source: b.c0.a;->n:83 API Call: java.lang.reflect.Method.invoke
Source: com.google.android.material.chip.Chip;->m:254 API Call: java.lang.reflect.Field.get
Source: com.google.android.material.chip.Chip;->m:262 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.e;->k:6 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.e;->l:14 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.f;->k:21 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.f;->l:27 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.h;->l:9 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.g;->l:79 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.g;->p:81 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.g;->q:89 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.g;->r:95 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.j;->j:11 API Call: java.lang.reflect.Field.get
Source: b.h.d.g;->s:98 API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.d.b;->N:9 API Call: java.lang.reflect.Field.get
Source: c.d.a.b.f.d.y;-><clinit>:5 API Call: java.lang.reflect.Field.get
Source: androidx.core.graphics.drawable.IconCompat;->e:39 API Call: java.lang.reflect.Method.invoke
Source: androidx.core.graphics.drawable.IconCompat;->g:50 API Call: java.lang.reflect.Method.invoke
Source: androidx.core.graphics.drawable.IconCompat;->i:60 API Call: java.lang.reflect.Method.invoke
Source: androidx.core.graphics.drawable.IconCompat;->k:83 API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.dynamite.DynamiteModule;->a:30 API Call: java.lang.reflect.Field.get
Source: c.d.a.b.f.e.eb;->a:4 API Call: java.lang.reflect.Field.get
Source: c.d.a.b.f.e.f7;-><clinit>:5 API Call: java.lang.reflect.Field.get
Source: c.d.a.b.f.e.p8;->b:49 API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.f.e.q9;-><init>:8 API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.f.e.v0;->a:19 API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.f.e.v0;->a:29 API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.f.e.v8;->j:5 API Call: java.lang.reflect.Method.invoke
Source: b.b.f.g$a;->onMenuItemClick:21 API Call: java.lang.reflect.Method.invoke
Source: b.b.f.g$a;->onMenuItemClick:25 API Call: java.lang.reflect.Method.invoke
Source: b.b.g.b1;->a:10 API Call: java.lang.reflect.Method.invoke
Source: b.b.g.h0;->N:55 API Call: java.lang.reflect.Method.invoke
Source: b.b.g.h0;->f:117 API Call: java.lang.reflect.Method.invoke
Source: b.b.g.h0;->u:230 API Call: java.lang.reflect.Method.invoke
Source: b.b.g.j0;->U:15 API Call: java.lang.reflect.Method.invoke
Source: b.b.g.z;->o:25 API Call: java.lang.reflect.Method.invoke
Source: b.b.g.z;->u:242 API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.i.h;->b:12 API Call: java.lang.reflect.Method.invoke
Source: b.b.f.j.j;->h:58 API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.b$b;->a:10 API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.e$a;->invoke:44 API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.e;->b:17 API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.e;->e:33 API Call: java.lang.reflect.Method.invoke
Source: g.h0.j.e;->g:40 API Call: java.lang.reflect.Method.invoke
Source: b.h.l.d0$a;->a:23 API Call: java.lang.reflect.Field.get
Source: b.h.l.d0$a;->a:25 API Call: java.lang.reflect.Field.get
Source: b.h.l.d0$a;->a:27 API Call: java.lang.reflect.Field.get
Source: b.h.l.d0$c;->e:11 API Call: java.lang.reflect.Field.get
Source: b.h.l.d0$g;->q:67 API Call: java.lang.reflect.Method.invoke
Source: b.h.l.d0$g;->q:72 API Call: java.lang.reflect.Field.get
Source: b.h.l.d0$g;->q:74 API Call: java.lang.reflect.Field.get
Source: b.h.l.f;->a:5 API Call: java.lang.reflect.Method.invoke
Source: b.h.l.f;->f:37 API Call: java.lang.reflect.Field.get
Source: b.h.l.w;->a:7 API Call: java.lang.reflect.Method.invoke
Source: b.h.l.v;->n:235 API Call: java.lang.reflect.Field.get
Source: b.h.d.l.a;->f:24 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.l.a;->m:45 API Call: java.lang.reflect.Method.invoke
Source: b.h.d.l.e;->isProjected:18 API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.c.l.p;->d:38 API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.c.l.p;->f:47 API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.c.l.p;->g:56 API Call: java.lang.reflect.Method.invoke
Source: c.d.a.b.c.l.p;->g:60 API Call: java.lang.reflect.Method.invoke
Source: b.h.m.c;->a:9 API Call: java.lang.reflect.Field.get
Source: b.h.m.h;->b:20 API Call: java.lang.reflect.Method.invoke
Source: b.h.m.i$a;->f:54 API Call: java.lang.reflect.Method.invoke
Source: com.google.android.gms.measurement.AppMeasurement;->getInstance:11 API Call: java.lang.reflect.Method.invoke
Source: f.n.a;->a:7 API Call: java.lang.reflect.Method.invoke
Source: c.d.d.w.n.i$a;->b:7 API Call: java.lang.reflect.Field.get
Source: c.d.d.w.n.i$a;->c:16 API Call: java.lang.reflect.Field.get
Source: c.d.d.w.o.c;->d:11 API Call: java.lang.reflect.Field.get
Source: c.d.d.w.o.c;->e:29 API Call: java.lang.reflect.Method.invoke
Source: c.d.d.w.o.c;->e:39 API Call: java.lang.reflect.Method.invoke
Source: b.e0.y.p.f;->a:11 API Call: java.lang.reflect.Method.invoke
Source: b.p.a$b;->a:4 API Call: java.lang.reflect.Method.invoke
Source: b.p.a$b;->a:6 API Call: java.lang.reflect.Method.invoke
Source: b.p.a$b;->a:8 API Call: java.lang.reflect.Method.invoke
Source: b.s.a$a;->a:3 API Call: java.lang.reflect.Field.get
Source: b.s.a$a;->a:18 API Call: java.lang.reflect.Field.get
Source: b.s.a$a;->b:32 API Call: java.lang.reflect.Method.invoke
Source: b.s.a;->f:113 API Call: java.lang.reflect.Field.get
Source: c.d.d.w.m$a;->c:5 API Call: java.lang.reflect.Method.invoke
Source: c.d.d.w.m$b;->c:5 API Call: java.lang.reflect.Method.invoke
Source: c.d.d.w.m$c;->c:4 API Call: java.lang.reflect.Method.invoke
Source: c.d.d.w.m;->b:25 API Call: java.lang.reflect.Field.get
Source: c.d.d.w.m;->b:32 API Call: java.lang.reflect.Method.invoke
Source: androidx.appcompat.widget.SearchView$n;->a:17 API Call: java.lang.reflect.Method.invoke
Source: androidx.appcompat.widget.SearchView$n;->b:20 API Call: java.lang.reflect.Method.invoke
Source: androidx.appcompat.widget.SearchView$n;->c:24 API Call: java.lang.reflect.Method.invoke
Source: b.z.a;->e:26 API Call: java.lang.reflect.Method.invoke

Persistence and Installation Behavior:

barindex
Sets an intent to the APK data type (used to install other APKs)
Source: c.e.a.b.b;->a:10 API Call: android.content.Intent.setDataAndType(n/a,"application/vnd.android.package-archive")
Source: c.d.c.l.h.m.a;->c:31 API Call: java.io.FileWriter.<init>

Boot Survival:

barindex
Starts/registers a service/receiver on phone boot (autostart)
Source: com.libravpn.libravpn.BootupReceiver;->onReceive:19 API Call: android.content.Context.startService (not executed)
Source: androidx.work.impl.background.systemalarm.RescheduleReceiver;->onReceive:17 API Call: android.content.Context.startService (not executed)
Installs a new wake lock (to get activate on phone screen on)
Source: b.o.a.a;->b:28 API Call: android.os.PowerManager.newWakeLock
Source: c.d.a.b.h.a;-><init>:26 API Call: android.os.PowerManager.newWakeLock
Source: b.e0.y.p.j;->b:26 API Call: android.os.PowerManager.newWakeLock
Source: c.d.c.v.q0;-><init>:11 API Call: android.os.PowerManager.newWakeLock
Source: c.d.c.v.v0;-><init>:6 API Call: android.os.PowerManager.newWakeLock
Has permission to execute code after phone reboot
Source: submitted apk Request permission: android.permission.RECEIVE_BOOT_COMPLETED

Hooking and other Techniques for Hiding and Protection:

barindex
Queries list of running processes/tasks
Source: c.d.c.l.h.g.l;->j:67 API Call: android.app.ActivityManager.getRunningAppProcesses
Source: b.e0.y.p.f;->a:19 API Call: android.app.ActivityManager.getRunningAppProcesses
Source: c.d.c.v.c;->b:23 API Call: android.app.ActivityManager.getRunningAppProcesses
Source: c.d.c.l.h.g.l;->u:146 API Call: java.security.MessageDigest.getInstance
Source: c.d.c.l.h.g.l;->u:147 API Call: java.security.MessageDigest.update
Source: c.d.c.l.h.g.l;->t:145 API Call: java.security.MessageDigest.digest
Source: c.d.c.l.h.g.l;->u:147 API Call: java.security.MessageDigest.update
Source: c.d.c.l.h.g.l;->t:145 API Call: java.security.MessageDigest.digest
Source: c.d.c.v.a0;->c:18 API Call: java.security.MessageDigest.getInstance
Source: c.d.c.v.a0;->h:86 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.c.l.a;->b:9 API Call: java.security.MessageDigest.getInstance
Source: c.d.c.t.r.c;->f:181 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.aa;->B:8 API Call: java.security.MessageDigest.getInstance
Source: c.d.a.b.g.b.i3;->o:215 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.v9;->H:329 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.v9;->H:329 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.v9;->H:329 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.g.b.q8;->o:65 API Call: java.security.MessageDigest.digest
Source: c.g.a.h;->a:24 API Call: java.security.MessageDigest.getInstance
Source: c.g.a.h;->a:27 API Call: java.security.MessageDigest.digest
Source: c.b.a.n.o.b0.j$a;->b:4 API Call: java.security.MessageDigest.getInstance
Source: c.b.a.n.o.b0.j;->a:11 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.c.z;->e:11 API Call: java.security.MessageDigest.digest
Source: c.b.a.n.q.d.b0$a;->b:4 API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.b0$a;->b:12 API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.b0$b;->b:4 API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.b0$b;->b:12 API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.i;->a:6 API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.j;->a:6 API Call: java.security.MessageDigest.update
Source: c.b.a.n.q.d.q;->a:6 API Call: java.security.MessageDigest.update
Source: c.d.c.l.h.g.l;->u:148 API Call: java.security.MessageDigest.digest
Source: h.h;->g:23 API Call: java.security.MessageDigest.getInstance
Source: h.h;->g:25 API Call: java.security.MessageDigest.digest
Source: h.x;->g:26 API Call: java.security.MessageDigest.getInstance
Source: h.x;->g:31 API Call: java.security.MessageDigest.update
Source: h.x;->g:32 API Call: java.security.MessageDigest.digest
Source: c.d.a.b.c.l.a;->a:8 API Call: java.security.MessageDigest.digest
Source: c.b.a.n.o.x;->a:13 API Call: java.security.MessageDigest.update
Source: c.b.a.n.o.x;->a:19 API Call: java.security.MessageDigest.update
Source: c.b.a.n.p.g;->a:12 API Call: java.security.MessageDigest.update
Source: c.d.c.t.q.b;->c:23 API Call: java.security.MessageDigest.getInstance
Source: c.d.c.t.q.b;->c:24 API Call: java.security.MessageDigest.digest
Source: c.b.a.s.b;->a:7 API Call: java.security.MessageDigest.update
Source: c.d.c.v.a0;->c:20 API Call: java.security.MessageDigest.digest

Malware Analysis System Evasion:

barindex
Executes logcat command
Source: c.g.a.h;->k:437 API Call: java.lang.Runtime.exec ("logcat -d ")
Accesses /proc
Source: Lc/d/c/l/h/g/l;->s()J Method string: "/proc/meminfo"
Source: Lc/d/a/b/c/l/m;->b(I)Ljava/lang/String; Method string: "/proc/"
Accesses android OS build fields
Source: com.google.firebase.FirebaseCommonRegistrar;->getComponents:45 Field Access: android.os.Build.PRODUCT
Source: com.google.firebase.FirebaseCommonRegistrar;->getComponents:50 Field Access: android.os.Build.DEVICE
Source: com.google.firebase.FirebaseCommonRegistrar;->getComponents:55 Field Access: android.os.Build.BRAND
Source: c.d.c.l.h.m.d;->j:23 Field Access: android.os.Build.MANUFACTURER
Source: c.d.c.l.h.m.d;->j:23 Field Access: android.os.Build.MODEL
Source: c.d.a.b.f.e.d6;->a:5 Field Access: android.os.Build.TYPE
Source: c.d.a.b.f.e.d6;->a:6 Field Access: android.os.Build.TAGS
Source: c.d.c.l.h.g.l;->y:175 Field Access: android.os.Build.PRODUCT
Source: b.b.b.f;-><clinit>:2 Field Access: android.os.Build.FINGERPRINT
Source: c.d.c.l.h.g.n;->S:224 Field Access: android.os.Build.TAGS
Source: c.d.c.l.h.g.l;->l:81 Field Access: android.os.Build.CPU_ABI
Source: c.d.c.l.h.g.n;->R:215 Field Access: android.os.Build.PRODUCT
Source: c.d.c.l.h.g.l;->m:83 Field Access: android.os.Build.PRODUCT
Source: c.d.c.l.h.g.l;->m:84 Field Access: android.os.Build.TAGS
Source: c.d.c.l.h.g.l;->x:167 Field Access: android.os.Build.PRODUCT
Source: c.d.c.l.h.g.l;->y:176 Field Access: android.os.Build.TAGS
Source: c.d.c.l.h.g.q;->d:22 Field Access: android.os.Build.CPU_ABI
Source: c.d.c.l.h.g.q;->p:205 Field Access: android.os.Build.MANUFACTURER
Source: c.d.c.l.h.g.q;->p:206 Field Access: android.os.Build.PRODUCT
Source: c.d.c.l.h.g.q;->p:209 Field Access: android.os.Build.MODEL
Source: c.d.a.b.g.b.t9;->j0:2642 Field Access: android.os.Build.MODEL
Source: c.d.a.b.g.b.t9;->j0:2647 Field Access: android.os.Build$VERSION.RELEASE
Source: c.b.a.n.q.d.r;->g:33 Field Access: android.os.Build.MODEL
Source: c.b.a.n.q.d.r;->h:57 Field Access: android.os.Build.MODEL
Source: c.b.a.n.q.d.z;-><clinit>:34 Field Access: android.os.Build.MODEL
Source: c.d.c.l.h.g.l$a;->e:31 Field Access: android.os.Build.CPU_ABI
Source: c.d.c.l.h.g.n;->R:209 Field Access: android.os.Build.MODEL
Source: c.d.c.l.h.g.n;->R:217 Field Access: android.os.Build.MANUFACTURER
Source: c.d.c.l.h.g.n;->R:218 Field Access: android.os.Build.PRODUCT
Source: c.d.c.l.h.g.n;->S:221 Field Access: android.os.Build$VERSION.RELEASE
Source: c.d.c.l.h.g.y;->h:104 Field Access: android.os.Build.MANUFACTURER
Source: c.d.c.l.h.g.y;->h:106 Field Access: android.os.Build.MODEL
Source: c.d.c.l.h.g.y;->j:112 Field Access: android.os.Build$VERSION.RELEASE
Source: c.d.a.a.i.d;->a:52 Field Access: android.os.Build.MODEL
Source: c.d.a.a.i.d;->a:58 Field Access: android.os.Build.DEVICE
Source: c.d.a.a.i.d;->a:61 Field Access: android.os.Build.PRODUCT
Source: c.d.a.a.i.d;->a:64 Field Access: android.os.Build.ID
Source: c.d.a.a.i.d;->a:67 Field Access: android.os.Build.MANUFACTURER
Source: c.d.a.a.i.d;->a:70 Field Access: android.os.Build.FINGERPRINT
Source: c.d.a.b.c.l.i;->b:9 Field Access: android.os.Build.TYPE
Source: c.d.a.c.r.e;->a:1 Field Access: android.os.Build.MANUFACTURER
Queries several sensitive phone informations
Source: Lc/d/c/l/h/i/a$h;-><clinit>()V Method string: "os"
Source: Lc/d/a/b/f/e/n4;->Z(Lc/d/a/b/f/e/n4;)V Method string: "android"
Source: Lg/u;->b(Ljava/security/cert/Certificate;)Ljava/lang/String; Method string: "type"
Source: Lc/d/a/b/c/c;->toString()Ljava/lang/String; Method string: "version"
Source: Lc/d/c/l/h/i/a$g;-><clinit>()V Method string: "manufacturer"
Source: Lc/d/a/a/i/d;->h(Landroid/content/Context;)Landroid/telephony/TelephonyManager; Method string: "phone"
Source: Lc/d/c/t/r/c;->b(Ljava/lang/String;Ljava/lang/String;)Lorg/json/JSONObject; Method string: "appid"
Source: Lc/d/c/l/h/i/a$g;-><clinit>()V Method string: "model"
Source: Li/b/j/h;-><clinit>()V Method string: "time"
Source: Lc/d/c/q/f$a;-><clinit>()V Method string: "sdk"
Queries the unique operating system id (ANDROID_ID)
Source: c.g.a.h;->j:410 API Call: android.provider.Settings$Secure.getString
Source: android Binary or memory string: VMware Virtual Platform

Anti Debugging:

barindex
Checks if debugger is running
Source: c.d.c.l.h.g.l;->w:162 API Call: android.os.Debug.isDebuggerConnected

Language, Device and Operating System Detection:

barindex
Queries the SIM provider numeric MCC+MNC (mobile country code + mobile network code)
Source: c.d.a.a.i.d;->a:92 API Call: android.telephony.TelephonyManager.getSimOperator
Checks if phone is rooted (checks for Superuser.apk)
Source: c.d.c.l.h.g.n;->S:224 API Call: java.io.File.<init>("/system/app/Superuser.apk")
Source: c.d.c.l.h.g.l;->m:84 API Call: java.io.File.<init>("/system/app/Superuser.apk")
Source: c.d.c.l.h.g.l;->y:180 API Call: java.io.File.<init>("/system/app/Superuser.apk")
Checks if phone is rooted (checks for test-keys build tags)
Source: c.d.a.b.f.e.d6;->a:14 API Call: java.lang.String.contains("test-keys")
Source: c.d.c.l.h.g.l;->y:178 API Call: java.lang.String.contains("test-keys")

Stealing of Sensitive Information:

barindex
Uploads sensitive phone information to the internet (privacy leak)
Source: 192.168.2.30:54584 -> 142.250.185.67:443 HTTP traffic detected: Header contains sensitive information: Galaxy Nexus (android.os.Build.TAGS)
Reads logcat
Source: c.g.a.h;->k:442 API Call: java.io.BufferedReader.readLine
Queries a list of installed applications
Source: c.g.a.h;->callHandler:167 API Call: android.content.pm.PackageManager.queryIntentActivities
Source: submitted apk Request permission: android.permission.ACCESS_COARSE_LOCATION

Remote Access Functionality:

barindex
Found suspicious command strings (may be related to BOT commands)
Source: Landroidx/recyclerview/widget/RecyclerView$u;->C(Landroidx/recyclerview/widget/RecyclerView$c0;)V Method string: "trying to recycle an ignored view holder. you should first call stopignoringview(view) before calling recycle."
Source: Landroidx/recyclerview/widget/GridLayoutManager;->G2(Z)V Method string: "gridlayoutmanager does not support stack from end. consider using reverse layout"
Source: Lc/d/a/b/g/b/v5;-><clinit>()V Method string: "app_update"
Source: Landroidx/recyclerview/widget/RecyclerView$u;->C(Landroidx/recyclerview/widget/RecyclerView$c0;)V Instruction: "const-string v2, "trying to recycle an ignored view holder. you should first call stopignoringview(view) before calling recycle.""
Source: Lb/n/c/e;->E(Z)V Instruction: ".param p1, "reversedflow" # z"
Source: Lc/d/a/b/g/b/v5;-><clinit>()V Instruction: "const-string v15, "app_update""
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs