# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://now.avg.com/pc-malware-that-silently-installs-apps-on-your-android-device 222.186.60.89:1001 # Reference: https://vms.drweb.com/virus/?i=17750684&lng=en # Reference: https://news.drweb.com/show/?lng=en&i=13108&c=14 androidcloud.org # Reference: https://research.checkpoint.com/preamo-a-clicker-campaign-found-on-google-play/ # Reference: https://www.virustotal.com/gui/domain/mnexuscdn.com/relations mnexuscdn.com # Reference: https://www.zscaler.com/blogs/research/third-party-android-store-sms-trojan app.in-spicy.com insidecontentsp.com incontsmart.com play4funclub.com /public/notification/is-active /app_sms_request_get_number.php /apps/moboporn/data/device_admin.php # Reference: https://twitter.com/051R15/status/984704059109093382 # Reference: https://www.virustotal.com/gui/file/932ad38cf5048e20641b27619b72a632b546cffb8f35515ea5200ea194b8fdb2/detection 103.249.31.87:11880 hold.jcgloball.org # Reference: https://twitter.com/sniko_/status/1136981531870867456 cryptonator.us # Reference: https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99&tabid=2 xxxdroidxxx.net # Reference: https://twitter.com/LukasStefanko/status/1136995445572550661 bibox365.us # Reference: https://twitter.com/LukasStefanko/status/1138768486514266112 admob-games.online admob-games.xyz liniatech.com # Reference: https://twitter.com/LukasStefanko/status/1139064061809893376 app.freegifts.top # Reference: https://cerbero-blog.com/?p=1633 (# AndroRAT) # Reference: https://www.virustotal.com/gui/file/dc9a0322ca263d733f91182f1e655a11cba28dc766031ce0665b6005900450d7/detection shoppingapp.no-ip.biz # Reference: https://cerbero-blog.com/?p=1633 (# OmniRAT) # Reference: https://www.virustotal.com/gui/file/9e1bee43a501132da732d1287126632438b91a9fcbf37afda7b8597055960877/detection strippermona2.no-ip.info # Reference: https://twitter.com/nullcookies/status/1177342951766278144 googleplaystore.net # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2014/2014-11-26-sms-spam-with-mobile-malware/sms-spam-with-mobile-malware.csv url7.me # Reference: https://www.virustotal.com/gui/ip-address/185.89.102.7/relations 185.89.102.7 # Reference: https://securelist.com/still-stealing/83343/ extensionsapiversion.space guest-stat.com # Reference: http://contagiominidump.blogspot.com/2012/12/trojanrussmssystemsecurity-toll-fraud.html # Reference: https://www.virustotal.com/en/file/664725869278f478e5a50a5e359dc6d5cf4f2a7019d0c122e2fa1e318f19636b/analysis/ # Reference: https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=516 # Reference: http://securelist.com/blog/incidents/59384/new-threat-trojan-sms-androidos-stealer-a/#page_top load-center.ru # Reference: https://twitter.com/051R15/status/1068411354216722432 211.188.179.86:8686 # Reference: https://twitter.com/ninoseki/status/1176732200873578496 # Reference: https://www.virustotal.com/gui/file/9cfea36afbc687f967a4509fb9a7f07b4439bf85b319dc3c937a262a142858cc/detection # Reference: https://pastebin.com/c8JQLkf1 154.197.51.135:84 45.204.2.128:82 45.204.2.128:83 45.204.2.149:83 45.204.2.158:83 http://154.197.51.131 http://154.197.51.134 http://154.197.51.135 http://154.197.51.136 http://154.197.51.137 http://45.204.2.128 http://45.204.2.149 http://45.204.2.158 http://61.218.17.208 http://61.218.17.209 http://61.218.17.210 http://61.218.17.218 http://61.219.193.249 http://61.219.193.252 http://61.219.255.43 http://61.230.136.233 http://61.230.140.192 # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2016/2016-05-31-android-spyware-targets-security-job-seekers-in-saudi-arabia/android-spyware-targets-security-job-seekers-in-saudi-arabia.csv # Reference: https://www.virustotal.com/gui/file/7cbf61fbb31c26530cafb46282f5c90bc10fe5c724442b8d1a0b87a8125204cb/detection # Reference: https://www.virustotal.com/gui/file/4aef8d9a3c4cc1e66a6f2c6355ecc38d87d9c81bb2368f4ca07b2a02d2e4923b/detection /Hac%20Mobaile/ /Hack%20Mobaile/ADDNewSMS.php /Hack%20Mobaile/ADDIMSI.php /Hack%20Mobaile/ADDVCF.php /Hack%20Mobaile/ADDHISTORYINTERNET.php /Hack%20Mobaile/ADDSMS.php /Hack%20Mobaile/ADDNewSMS.php # Reference: https://www.virustotal.com/gui/file/cd729d7035c69ab0ffa1aa52fff1c70fea60340c6ee74003ed4d9fd5fd87ad5e/detection midoken18.ddns.net # Reference: https://www.virustotal.com/gui/file/3ab6cd063e8ba3a2ed7e804a5ab1770add5d6aa1d56e9d4c71b2c0e0b2b86aeb/detection 185.217.1.190:2121 thefreebestfantasticmisticplace.com # Reference: https://www.virustotal.com/gui/file/d91b40a09c989ea9e630e9b3eb80addb8f6c193c48e2dccc989a33d546ed8eaa/detection text-dll-mo.linkpc.net # Reference: https://www.virustotal.com/gui/file/ac22327dcd3336f41216ab282c97ab9204bd3312bc112027c58e8befc52167c6/detection kanich.duckdns.org # Reference: https://www.virustotal.com/gui/file/e36c616ad524813059a48fa1654be3d28c27b6a1a01bda1dcb680f0251d147c1/detection pikachu077.duckdns.org # Reference: https://www.virustotal.com/gui/file/ad3ba8393f6f3a05dce5c3476f149732dce6794685847520755209a140f2c0a7/detection ghostdoor-36929.portmap.io # Reference: https://www.virustotal.com/gui/file/256c4d26410ea29f9a71b10792d3cc1533783f80ed9058025663bbf9fef19142/detection 193.161.193.99:34288 sivem-34288.portmap.io # Reference: https://www.virustotal.com/gui/file/3ba08b95030eb44ced91bd90dd585ec48365935808f3ba1304221106781db7c6/detection 193.161.193.99:36447 aprsgk-36447.portmap.host # Reference: https://www.virustotal.com/gui/file/6280e944104fb8745091b3973127f26034192426977523bde6f2fd9ead31f216/detection 193.161.193.99:28873 # Reference: https://www.virustotal.com/gui/file/3d1645625ee2bb1cadf901c03eeafbc772ebde1fe2e69c37c3c6038ed3b4bca9/detection 193.161.193.99:40247 kyleer.duckdns.org # Reference: https://www.virustotal.com/gui/file/c1d8dc289cae8e506dae878bec93cf08eddc0a408ec112fbe518f841a7959980/detection 193.161.193.99:63683 # Reference: https://www.virustotal.com/gui/file/d2d222d8249b7b37f4e15bef5fe13c0791ac903f4615b2368b4ca20ce26ec7d5/detection 193.161.193.99:53191 narpatbose-53191.portmap.host # Reference: https://www.virustotal.com/gui/file/a2a33e1e8b1e01a6ca93db88a5afefb4e6b8801481a5b976aee5151f8da404c9/detection 193.161.193.99:42178 darkdick.duckdns.org # Reference: https://www.virustotal.com/gui/file/2ae8555419e5dd0167a06ec307f54fc587cd40a06c388c0cbbbdc7b2cfb1464f/detection 193.161.193.99:25589 Neboys-25589.portmap.io # Reference: https://www.virustotal.com/gui/file/8a1459cfd167d53fa3d599a3e6b88d72edb5ed86374ce75cfc439026f948d176/detection ajmal-40797.portmap.io # Reference: https://www.virustotal.com/gui/file/757b2018d1b9c7e658f39e376bdc47799f7774888ac26b12a5dc60e0bca414d1/detection 193.161.193.99:46682 redexrocks-46682.portmap.io # Reference: https://www.virustotal.com/gui/file/989d038aa3a2ff948037470af11ae6df8e0d3806c0a5ae063638ed4653c9d453/detection ceca-46670.portmap.io # Reference: https://www.virustotal.com/gui/file/ec71a8f4fd33c7852f3ada6dbef4176364d27e7a3d5c7645a4e3618054d59d95/detection 193.161.193.99:40119 hadisikeraq-40119.portmap.host # Reference: https://www.virustotal.com/gui/file/8c72bb3d375de1409b7e6a2f59a9f7b6742ab00a1d9f44c08896ac91fd625ceb/detection 193.161.193.99:1337 hackaniyan123-28446.portmap.host # Reference: https://www.virustotal.com/gui/file/1d11d8522383ceb2dd31847066e6d5b38711c19728a2b061f34de4fe00f7931d/detection 193.161.193.99:44899 allaya-44899.portmap.host # Reference: https://www.virustotal.com/gui/file/4927c90df692cc0b6daab6dc789ed87d05e8308120aefed5b3864aa2ef7ea9c4/detection parkerrhino22-35670.portmap.host # Reference: https://www.virustotal.com/gui/file/37213724622b7ddd26cb62da058d7d29b17d0157d90ccbc81b1f9c51fb453b76/detection soma1q-46620.portmap.io # Reference: https://www.virustotal.com/gui/file/fee56ec8f0eb682db76281aa208a76dda29d3c3c8bef8c89e41932c5581cb8fc/detection 193.161.193.99:37138 # Reference: https://www.virustotal.com/gui/file/5ac0ad807be80133b655b386eb77f7b7fac312fa74f584d8cdad35daf1776881/detection 193.161.193.99:56605 # Reference: https://www.virustotal.com/gui/file/1ddeffc5d315e5263c3c9bd5883822435be0bd4bf9ab9b9b87214143705be220/detection 193.161.193.99:36343 # Reference: https://www.virustotal.com/gui/file/e7cf7c54d3a8b6e2edfae7c8bbf8427150418db691d60c1db1d8bb971a6cd333/detection manuse-52828.portmap.host # Reference: https://www.virustotal.com/gui/file/2e2268001cd304fc904ece47266862cdf653adde32f694d109f7891fd27a7a9a/detection yasin69-58773.portmap.host # Reference: https://www.virustotal.com/gui/file/2b4d4f0f5eb58743f55f97261971539be68045cd94a64a8026b8516bcbcd2beb/detection bewman-27570.portmap.host # Reference: https://www.virustotal.com/gui/file/23c5c73e76472eff51d09d62d972165900bfd8e97b5b95a3fbe877defb5f83f6/detection LAPTOP-8OHQN8H-33163.portmap.io # Reference: https://www.virustotal.com/gui/file/8e9e743c552776b4f4f65d268862acd55d3b1eb5399cf88d14e45cb7e70d9cd2/detection nobodydoes-62739.portmap.host # Reference: https://www.virustotal.com/gui/file/96a8ed7272a62d1a5950a3ed1090283073a0ff987939da4d5e20489d5a139043/detection 193.161.193.99:48545 # Reference: https://www.virustotal.com/gui/file/d3de3d49947abb7860d9fca288fa610a0b25cef0761220a03243e4a5039dfb25/detection 193.161.193.99:23740 king090371-23740.portmap.io # Reference: https://www.virustotal.com/gui/file/6a4612a258f0ae6cb3bbef56227ce32d504e33187bee75250591ee51d42c24f1/detection 60770a3c1e5cb79771c84d26219b315f.duckdns.org # Reference: https://www.virustotal.com/gui/file/6bc63ed3d63acb96faaa2d9de2c225ccf77827b0f7c0c87417eda394efd5d407/detection 193.161.193.99:54044 fbz-54044.portmap.io # Reference: https://www.virustotal.com/gui/file/3e34699904e5cd553b0c786e961dfa3b47307b9485d04c4a21833f52f682dedb/detection blabla-64010.portmap.io # Reference: https://www.virustotal.com/gui/file/6d3371a6fb582f2fb69d8fe14eb9e953ccd0bb93ad24d669b97e2fd52463d00b/detection 193.161.193.99:58489 # Reference: https://www.virustotal.com/gui/file/bff674e0d2cb44aa0ae2d7124a08ccedda5f09843953c2fb04e51d635185e06d/detection 193.161.193.99:58489 yagomilenio.ddns.net # Reference: https://www.virustotal.com/gui/file/cf74e0454c815739ab9b4e3add541042675ee2f3c9287c22811d33e0bad2ef06/detection 193.161.193.99:28750 Hackerprofesional-28750.portmap.io # Reference: https://www.virustotal.com/gui/file/5ea0b093514ca513755877d1407f97a667510480a6931ec2553b8268c7fa3c6e/detection 193.161.193.99:30479 # Reference: https://www.virustotal.com/gui/file/ae3fdadda6c13dc895fa48862b519751a03d0107a7a8b456460f550f483d7f6b/detection 193.161.193.99:61770 # Reference: https://www.virustotal.com/gui/file/1cbcf97ea3658dd477105dd5bf75f2dc545fd48898220752e6e515e751d4e874/detection gimiexpert.duckdns.org # Reference: https://www.virustotal.com/gui/file/88e4c82169a018046ed711e5d199cfffa1ac2bc974237f7ff30013a0f3c6d202/detection 193.161.193.99:61891 LAPTOP221421-61891.portmap.io # Reference: https://www.virustotal.com/gui/file/e6d6c2f48603c6be4937908d841e3b3af2cd21876e05987d688523ba1deedd3e/detection 3.19.3.150:16866 # Reference: https://www.virustotal.com/gui/file/e221cfff004c9423b27e921684e629dc5d98279227eb2a5253364ebda0b233be/detection 3.14.212.173:13392 3.19.3.150:13392 # Reference: https://www.virustotal.com/gui/file/c438f42bf63828943c537b48203c40448b46d1ba0987a02696481dfcf1a20167/detection 3.19.3.150:12128 # Reference: https://www.virustotal.com/gui/file/87e415521d0b2f63ac96e4689072c377c4c26fd8265c1e7e67f70e53433cbc38/detection 3.19.3.150:16153 # Reference: https://www.virustotal.com/gui/file/dd33f5656995cc1a5f50d0064c9efd82aefe3ecaa357190a6402ee3a6663610a/detection 3.19.3.150:14457 # Reference: https://www.virustotal.com/gui/file/21856a6bd24af73aea9aee0d656ef2208c2ebbb6011c457549988a241394657b/detection 3.19.3.150:14921 # Reference: https://www.virustotal.com/gui/file/a970f8de2ae9dbed6b4e982f65e7706a03ee510693d869dce2eb30a37a97d6b2/detection 3.19.3.150:16189 # Reference: https://www.virustotal.com/gui/file/cd38c945796f0ec0fcece3126875a96ad4324d76028348412fc9a78a79c722c1/detection 3.19.3.150:13234 # Reference: https://www.virustotal.com/gui/file/b74dacb1e380dae54434fb4d6206b501e0f3ab6016c7453f3c6ef1ff3382ea17/detection 3.19.3.150:14892 # Reference: https://www.virustotal.com/gui/file/34ccd61d454162e8a6fa8599586ce8248e53aab9e38a291ca336fda66053fad9/detection androidapp.myq-see.com # Reference: https://www.virustotal.com/gui/file/91f12329d74e5ca5b055256d999d92294caf8d194db145a8063a398990812165/detection 185.101.92.3:4339 asson.myq-see.com # Reference: https://www.virustotal.com/gui/file/92f6b8f14527f7e755b535d8442f4a8cf562f92584ab5e50eb126fc9c527f303/detection 193.161.193.99:34279 # Reference: https://www.virustotal.com/gui/file/4d4b02db0f7df2d43f7ecd98580faa5d58b3f0e43e0fe3bde4e22ea2954686c6/detection 54.81.215.72:12301 # Reference: https://www.virustotal.com/gui/file/7c86f4236e7b32467e2cd2fd797a1f794ed0c00703871bb55d78b6ba98567711/detection 141.255.150.115:3210 141.255.154.248:3210 # Reference: https://www.virustotal.com/gui/file/cc9186e56a28e2e069c0e02000882f1e725b8631a0da04c79117f4dc46ccc78c/detection console-wifi.ddns.net # Reference: https://www.virustotal.com/gui/file/db87c6455b568eb63e25b22688affd3e15eb4683a656061ba5a50ac26b8af702/detection 197.32.108.10:2222 91.109.176.6:2222 ahmed444mah.myftp.biz # Reference: https://www.virustotal.com/gui/file/1939024a2e094348b5068a569e5968a09e7d612351b0f9ff7e4bbcd32aee24d7/detection qna.hopto.org # Reference: https://www.virustotal.com/gui/file/3a7e844f3e2709ac9aa352183f55347e9729c95c51e44f72f6073d12893783b9/detection danielgomesb.hopto.org # Reference: https://www.virustotal.com/gui/file/ce3d7392c08178a064432f952302c10bda264b09c7f7e6477a9e668072cdd506/detection 177.40.160.231:1337 179.176.142.193:1337 # Reference: https://www.virustotal.com/gui/file/ac99d6ecf20ede3c1064a5790ea66d4080776c7369dc7f878c3dcd658dc7d5ee/detection 179.178.9.126:1337 # Reference: https://www.virustotal.com/gui/file/7607ecae59fdb498d0e6691f0b3049eeb03cbc7c456a46e415ccfc3f672b09a4/detection # Reference: https://www.virustotal.com/gui/file/3635d1220ce1ac04cfa2cd99e7878f33b98d4c9841ec3d5731b9ff1a67d0e034/detection mobihok.net # Reference: https://mobile.twitter.com/LukasStefanko/status/1032884776825434112 http://59.105.6.230 # Reference: https://twitter.com/LukasStefanko/status/1039435272017117185 teensexmovies21.tk # Reference: https://twitter.com/LukasStefanko/status/1114065804943867904 jakajakreminota.work /metabbiroma2/terro.php # Reference: https://twitter.com/virqdroid/status/1117771719412989952 flashnew111.top letsfuckit111.top pastbische1.top # Reference: https://twitter.com/LukasStefanko/status/1123875894488072193 # Reference: https://www.virustotal.com/gui/domain/stimpado.com/details stimpado.com /sam01/set.php # Reference: https://twitter.com/sh1shk0va/status/1186968376930897926 (# Ginp) # Reference: https://twitter.com/PRODAFT/status/1187620160401793024 http://64.44.133.36 carnivors284.info # Reference: https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html # Reference: https://www.virustotal.com/gui/file/0ee075219a2dfde018f17561467272633821d19420c08cba14322cc3b93bb5d5/detection http://64.44.51.107 # Reference: https://www.virustotal.com/gui/file/ab90578cdb6641c32ce3242d4c9f03b4b2a17e061afe9e1d58d9fd73c483769c/detection http://185.198.57.24 /private/tuk_tuk.php # Reference: https://www.virustotal.com/gui/domain/u363571.test93w.ru/details u363571.test93w.ru # Reference: https://www.virustotal.com/gui/domain/u36317.test93w.ru/relations u36317.test93w.ru /private/set_data.php # Reference: https://twitter.com/JayTHL/status/1214205248945999873 chase-banksonline.com # Reference: https://twitter.com/ni_fi_70/status/1227964755589189632 # Reference: https://www.virustotal.com/gui/ip-address/200.6.39.216/relations # Reference: https://www.virustotal.com/gui/file/58bd88693864b0375032d3507fe359e79d1ee179e51c5a7d1b2b8e17c8102a17/detection 200.6.39.216:80 app-bbva.online /controls/bbva_es/control.php?message= /controls/milenium/control.php?message= # Reference: https://www.virustotal.com/gui/ip-address/169.197.110.86/relations 169.197.110.86:80 # Reference: https://www.virustotal.com/gui/file/1ff1122748bb717fdae81acaca176a8c8d1fd7babbd04451d67ad5d72d33a83c/detection 141.255.153.71:1177 testesild68.ddns.net # Reference: https://www.virustotal.com/gui/file/e8b7ecb0266db61e222e89e295f610baeb550117097ae277e5d4e27e05a28376/detection # Reference: https://www.virustotal.com/gui/domain/app.smartnewsource.com/relations app.smartnewsource.com # Reference: https://www.virustotal.com/gui/file/17aa8c580c201567a98a721e3b21d0ac45a15dd513e7c58638b7ca7862fd7b7a/detection 168.235.111.253:4339 majomodelagency.duckdns.org # Reference: https://www.virustotal.com/gui/file/97a8aded5dba613bdac4cccd17a4d06e7f10d297798dcc0d52f398c1357739f2/detection 168.235.111.253:1818 cooldreamers.ddns.net # Reference: https://www.virustotal.com/gui/file/ce7dc9c5333068f9923dc5bb37f2ba8255f3f13b5433dc1d5938a16643c51817/detection 168.235.111.253:1604 # Reference: https://www.virustotal.com/gui/file/2844249359ce1e7a8e8b6e11c7497b8888ff6a4fc6d644c96dfa1c76def35f5c/detection 168.235.111.253:1617 didi03.duckdns.org # Reference: https://www.virustotal.com/gui/file/9b1a1ccedfb4439d7f30468953fb30d3e353041ed61897be805fb81e3137798f/detection 102.69.0.221:5214 194.35.115.37:5214 # Reference: https://www.virustotal.com/gui/file/d53c5908beea8b54a1190c90049a2c15b833df44e5a1000f62255aa01893871d/detection 45.74.46.199:8484 # Reference: https://twitter.com/malwaretracekr/status/1236656514800054274 # Reference: https://www.virustotal.com/gui/file/69f2b139bc5c5480b85ef67171816972c6eb3a1152b6cc8900e98c75c98b097d/detection cjthemsk.cn # Reference: https://securelist.com/cookiethief/96332/ yoboxtool.com yomobi.net youzicheng.net # Reference: https://twitter.com/LukasStefanko/status/1240913992383684610 codebeta.in # Reference: https://www.virustotal.com/gui/file/8a87cfe676d177061c0b3cbb9bdde4cabee0f1af369bbf8e2d9088294ba9d3b1/detection coronasafetymask.tk # Reference: https://twitter.com/LukasStefanko/status/1243317183419219969 freepornhub.host # Reference: https://twitter.com/malwrhunterteam/status/1243533202507075584 dl.ac19.am # Reference: https://www.virustotal.com/gui/file/22b900664bf56c376079c088decffebe04e13f3a1440da4c79562bc949733484/detection 91.218.65.24:5214 # Reference: https://twitter.com/virqdroid/status/1243847928814489602 (# ProjectSpy) # Reference: https://www.virustotal.com/gui/file/e394e53e53cd9047d6cff184ac333ef7698a34b777ae3aac82c2c669ef661dfe/detection cashnow.ee spy.cashnow.ee /Corona_Virus.apk # Reference: https://twitter.com/malwrhunterteam/status/1239477012827381760 /avist.apk # Reference: https://www.virustotal.com/gui/file/78e3efb6b9eca61de2ae53064702d7879d8f2430c7793fe20a5fef999d12691a/detection 141.255.156.231:1177 191.177.187.33:1177 ccman32.duckdns.org # Reference: https://www.virustotal.com/gui/file/78e3efb6b9eca61de2ae53064702d7879d8f2430c7793fe20a5fef999d12691a/detection 141.255.151.102:1177 # Reference: https://www.virustotal.com/gui/ip-address/141.255.156.231/relations iphone-skyrock.ddnsking.com # Reference: https://twitter.com/malwrhunterteam/status/1243991887998001153 /Ac19-V1.2.0.apk # Reference: https://www.virustotal.com/gui/file/06bb1f4da96df4857c94e73794fc9b0c283b6cecb974d2eb9c89fe0f4afab6bb/detection 141.255.152.138:2222 # Reference: https://www.virustotal.com/gui/file/92647585c0aab0009197ba287a871f752c6a49e095f648afa1ffc4a6a657ae34/detection 41.104.196.248:2222