1013 lines
28 KiB
Plaintext
1013 lines
28 KiB
Plaintext
# Various telemetry endpoints (hosts and domains) used by mobile location tracking libraries
|
||
# Contact: mobiletrackers [at] protonmail.ch
|
||
# See: https://github.com/craiu/mobiletrackers/
|
||
# Version 1.46 - 2024-02-07
|
||
#
|
||
|
||
# xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
|
||
||bin5y4muil.execute-api.us-east-1.amazonaws.com^
|
||
# unknown, possibly xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
|
||
||8balwalz1i.execute-api.us-east-2.amazonaws.com^
|
||
|
||
# unknowns - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
|
||
||api.smartechmetrics.com^
|
||
||ck-running-apps-700f1.firebaseio.com^
|
||
||pie.wirelessregistry.com^
|
||
|
||
# unknowns - 010f7bb33f35cc650b7d6104b07102eb0dbaf79bcec1f1c6255fdcaffefe6b68 - com.davidsukhin.com.sukhin.snowdaycalculator.SnowDay
|
||
# URLs below stored as base64 and encrypted xor 0x09 ->
|
||
||udata.elephantdata.net^
|
||
||atb.bearclod.com^
|
||
#pDNS data for the IPs associated with atb.bearclod.com ->
|
||
||alb.bearclod.com^
|
||
||aly.bearclod.com^
|
||
||alz.bearclod.com^
|
||
||atb.bearclod.com^
|
||
||bivitis.bearclod.com^
|
||
||brt.bearclod.com^
|
||
||brul.bearclod.com^
|
||
||hfstat.bearclod.com^
|
||
||hkn01.bearclod.com^
|
||
||ply.bearclod.com^
|
||
||zoo.bearclod.com^
|
||
|
||
# crashlytics - 4711634730d5367756bba4d776d846b01b8d0373336ea877a2c20b1da0a95477 - com.sgiggle.production_5.2.229629_1538560344.apk
|
||
||settings.crashlytics.com^
|
||
||e.crashlytics.com^
|
||
|
||
# starbolt - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
|
||
||sdk.starbolt.io^
|
||
||dmp.starbolt.io^
|
||
||devices.starbolt.io^
|
||
|
||
# sense360 ? - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
|
||
||android-quinoa-config-prod.sense360eng.com^
|
||
||survey-notify-event.sense360eng.com^
|
||
||quinoa-personal-identify-prod.sense360eng.com^
|
||
|
||
# appmeasurement - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
|
||
||app-measurement.com^
|
||
|
||
# newrelic - 2d4c9c037db43704f52968c9c363cbdf382cbb6a4b9143825f6e8b523b7c0c01 - com.crowdcompass.appmQaIam3e7C.apk
|
||
||mobile-collector.newrelic.com^
|
||
||mobile-crash.newrelic.com^
|
||
|
||
# Xiao mi related telemetry endpoints - see https://twitter.com/hookgab/status/1255859289945780225
|
||
||data.mistat.india.xiaomi.com^
|
||
||data.mistat.intl.xiaomi.com^
|
||
||data.mistat.rus.xiaomi.com^
|
||
||tracking.rus.miui.com^
|
||
||tracking.intl.miui.com^
|
||
||tracking.india.miui.com^
|
||
# from https://twitter.com/cybergibbons/status/1256703550954057729
|
||
||sa.api.intl.miui.com^
|
||
||sa.api.india.miui.com^
|
||
||sa.api.rus.miui.com^
|
||
|
||
# new xmodesocial - from https://mobile.twitter.com/guardianiosapp/status/1262545645941874689
|
||
||api.myendpoint.io^
|
||
|
||
# aggressive advertisers - https://securelist.com/in-app-advertising-in-android/97065/
|
||
# 1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd
|
||
# 134283b8efedc3d7244ba1b3a52e4a92 – com.xprodev.cutcam
|
||
# 3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner
|
||
||ti.domainforlite.com^
|
||
||uu.domainforlite.com^
|
||
# pDNS resolutions for uu.domainforlite.com, hosting on 47.252.80.195
|
||
||adserver.hahamobi.com^
|
||
||analytics.hahamobi.com^
|
||
||analytics.salmonads.com^
|
||
||api.salmonads.com^
|
||
||dat.funheroic.com^
|
||
||lg.luckyforworlds.com^
|
||
||lg.requestads.com^
|
||
||lg.smardroid.com^
|
||
||log.adywind.com^
|
||
||log.mobpowertech.com^
|
||
||net.hahamobi.com^
|
||
||net.salmonads.com^
|
||
||us01.salmonads.com^
|
||
||uu.domainforlite.com^
|
||
|
||
# mobile ads, 2020-07-07, additions from https://securelist.com/pig-in-a-poke-smartphone-adware/97607/
|
||
||www.ywupscsff.com^
|
||
||www.mzeibiyr.com^
|
||
||i151125.infourl.net^
|
||
||www.jueoxdr.com^
|
||
||ufz.doesxyz.com^
|
||
||htapi.getapiv8.com^
|
||
||stable.icecyber.org^
|
||
||404mobi.com^
|
||
||51ginkgo.com^
|
||
||lbjg7.com^
|
||
||bigdata800.com^
|
||
||apd1.warnlog.com^
|
||
||apd1.thunup.com^
|
||
|
||
# mintegral, 2020-08-30, described at: https://snyk.io/research/sour-mint-malicious-sdk/
|
||
||n.systemlog.me^
|
||
||setting.rayjump.com^
|
||
||analytics.rayjump.com^
|
||
# from pDNS on n.systemlog.me ->
|
||
||net.cleverjp.com^
|
||
|
||
# from fake NEXTALIVE (moonfair) application - https://www.zdnet.com/article/google-removes-android-app-that-was-used-to-spy-on-belarusian-protesters/
|
||
||arcpi.nextialive.roimaster.site^
|
||
||api.nextialive.roimaster.site^
|
||
||ws.nextialive.roimaster.site^
|
||
||nextialive.roimaster.site^
|
||
||api.dev.chat.roimaster.site^
|
||
||dev.chat.roimaster.site^
|
||
|
||
# Joker download URLs / hosts as described by ZScaler - https://www.zscaler.com/blogs/security-research/joker-playing-hide-and-seek-google-play
|
||
||2j1i9uqw.oss-eu-central-1.aliyuncs.com^
|
||
||blackdragon03.oss-ap-southeast-5.aliyuncs.com^
|
||
||blackdragon.oss-ap-southeast-5.aliyuncs.com^
|
||
||fgcxweasqw.oss-eu-central-1.aliyuncs.com^
|
||
||jk8681oy.oss-eu-central-1.aliyuncs.com^
|
||
||laodaoo.oss-ap-southeast-5.aliyuncs.com^
|
||
||laodaoo.oss-ap-southeast-5.aliyuncs.com^
|
||
||n47n.oss-ap-southeast-5.aliyuncs.com^
|
||
||nineth03.oss-ap-southeast-5.aliyuncs.com^
|
||
||proxy48.oss-eu-central-1.aliyuncs.com^
|
||
||rinimae.oss-ap-southeast-5.aliyuncs.com^
|
||
||sahar.oss-us-east-1.aliyuncs.com^
|
||
|
||
# Cerberus C2s as described by BitDefender - https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/
|
||
||2fapass.club^
|
||
||androidradio.life^
|
||
||downdating.club^
|
||
||fitnessstrategy.xyz^
|
||
||groovefitness.xyz^
|
||
||loversfinder.xyz^
|
||
||positivefitness.club^
|
||
||safeyourdata.xyz^
|
||
||sport4ever.club^
|
||
||vipyoga.today^
|
||
||weatherclub.club^
|
||
||yoga4u.xyz^
|
||
|
||
# unknown (?) telemetry receiving endpoints from:
|
||
# 066de93f181e9cbcb8611c675bbcb0fc - com.speedcamera.detector.radar.detector.direction
|
||
||yqchpwxvbg.execute-api.us-east-1.amazonaws.com^
|
||
||pn8sm7rjuc.execute-api.us-east-1.amazonaws.com^
|
||
|
||
# venntel / gravy analytics from https://github.com/sociam/PROWISH/blob/master/data/200appsdynamic.csv
|
||
# venntel / gravy analytics from https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf
|
||
# gravy analytics docs - http://developers.findgravy.com/products/gold-api/docs/index2.html
|
||
||api.findgravy.com^
|
||
||nwzhmwux-api.findgravy.com^
|
||
||zmq5ytc1-api.findgravy.com^
|
||
||mtm1nwmx-api.findgravy.com^
|
||
||gravyanalytics.com^
|
||
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
|
||
||ws.findgravy.com^
|
||
||api.foozor.com^
|
||
||testapi.foozor.com^
|
||
# potentially related hosts on top of findgravy.com
|
||
||img01.findgravy.com^
|
||
||img02.findgravy.com^
|
||
||img03.findgravy.com^
|
||
||img04.findgravy.com^
|
||
|
||
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
|
||
||pushapi.localytics.com^
|
||
||analytics.localytics.com^
|
||
||profile.localytics.com^
|
||
|
||
# cuebiq location sdk from ->
|
||
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
|
||
||in.cuebiq.com^
|
||
||ingestion-api.kiwi.sand.cuebiq.ai^
|
||
|
||
# nodle.io sdk from ->
|
||
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
|
||
||dev.nodle.io^
|
||
||us-central1-production-242307.cloudfunctions.net^
|
||
|
||
# unknown sdk from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass possibly xmode related
|
||
||api.smartechmetrics.com^
|
||
|
||
# more crashlytics hosts from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
|
||
||firebase-settings.crashlytics.com^
|
||
||update.crashlytics.com^
|
||
||reports.crashlytics.com^
|
||
|
||
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass ->
|
||
||pixelprose.fr^
|
||
|
||
# appsflyer from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
|
||
||onelink.me^
|
||
||onelnk.com^
|
||
||app.aflink.com^
|
||
||t.appsflyer.com^
|
||
|
||
# other various telemetry endpoints (not necessarily location related) from from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
|
||
||api.mixpanel.com^
|
||
||decide.mixpanel.com^
|
||
||cdn.optimizely.com^
|
||
||logx.optimizely.com^
|
||
||outline.truecaller.com^
|
||
||api4.truecaller.com^
|
||
||c.webengage.com^
|
||
||p.webengage.com^
|
||
||api.branch.io^
|
||
||bnc.lt^
|
||
||cdn.branch.io^
|
||
||e.crashlytics.com^
|
||
||settings.crashlytics.com^
|
||
||js.intercomcdn.com^
|
||
||mobile-sdk-api.intercom.io^
|
||
|
||
# Clevertap's wzrkt.com - also see https://twitter.com/fs0c131y/status/977267255309463554
|
||
||wzrkt.com^
|
||
||in.wzrkt.com^
|
||
# subdomains from wzrkt.com - https://subdomainfinder.c99.nl/scans/2020-04-19/wzrkt.com
|
||
||api.wzrkt.com^
|
||
||cb.wzrkt.com^
|
||
||eu1-spiky.wzrkt.com^
|
||
||eu1.alb.wzrkt.com^
|
||
||eu1.wzrkt.com^
|
||
||in.cb.wzrkt.com^
|
||
||in1-spiky.wzrkt.com^
|
||
||in1.alb.wzrkt.com^
|
||
||in1.wzrkt.com^
|
||
||sg1-spiky.wzrkt.com^
|
||
||sg1.cb.wzrkt.com^
|
||
||sg1.wzrkt.com^
|
||
||sk1-spiky.wzrkt.com^
|
||
||sk1-staging-1.wzrkt.com^
|
||
||sk1-staging-10.wzrkt.com^
|
||
||sk1-staging-2.wzrkt.com^
|
||
||sk1-staging-3.wzrkt.com^
|
||
||sk1-staging-4.wzrkt.com^
|
||
||sk1-staging-5.wzrkt.com^
|
||
||sk1-staging-6.wzrkt.com^
|
||
||sk1-staging-7.wzrkt.com^
|
||
||sk1-staging-8.wzrkt.com^
|
||
||sk1-staging-9.wzrkt.com^
|
||
||sk1.wzrkt.com^
|
||
||us1-spiky.wzrkt.com^
|
||
||us1.cb.wzrkt.com^
|
||
||us1.wzrkt.com^
|
||
|
||
# from cb9f6bb72a9766ba8c805c25769b47c46751052706bb41ed333db0b42cd586ff - com.byjus.thelearningapp
|
||
# also see https://digitalwatchdog.org/wp-content/uploads/2020/09/IDAC-Ed-Tech-Report_AppendixB_SensitiveData.pdf
|
||
||api.tllms.com^
|
||
||marketing.tllms.com^
|
||
|
||
# from 09f5bcadde3351eb3f509f5a471cbd7bb00536292da560bcf8ee59eb73116f00 - luo.speedometergps
|
||
# teragence ->
|
||
||control.teragence.net^
|
||
||pfsense02-01.is-61194.teragence.net^
|
||
# tutela ->
|
||
||upload-tutelawest.s3-accelerate.amazonaws.com^
|
||
||reporting-util.tutelatechnologies.com^
|
||
||hail-reporting.tutelatechnologies.com^
|
||
||thepopulator.tutelatechnologies.com^
|
||
# huq (also from 9c53a29a7e6a871f57b20097185a09afd2ff818455a42792d502f1eb8f2e3679) ->
|
||
||api.huqindustries.co.uk^
|
||
||report.huqindustries.co.uk^
|
||
||charles.huqindustries.co.uk^
|
||
|
||
# IOCs from https://www.whiteops.com/blog/somewhere-over-the-rainbowmix
|
||
||api.pythonexample.com^
|
||
|
||
# Predicio - from Funny Weather - pl.lawiusz.funnyweather.release.apk - 6d23151e69a57f67111d4969594316576577ae8a2015aff336ab6ef0fb2a07b4
|
||
# see https://www.vice.com/en/article/epdpdm/ice-dhs-fbi-location-data-venntel-apps
|
||
||sdk.predic.io^
|
||
|
||
# Kinesis endpoint from Funny Weather:
|
||
||kinesis.ap-southeast-1.amazonaws.com^
|
||
|
||
# Complementics endpoints from 4ba50272718c95af20940912c7968410d797fbc07dcce2bad8183b94887b0ab4
|
||
||sdk-as.complementics.com^
|
||
||static.complementics.com^
|
||
|
||
# Goontact from https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail
|
||
||redvios.com^
|
||
||v-talk.top^
|
||
||v-talk.vip^
|
||
||ladysizi.top^
|
||
||mmbox.top^
|
||
||oncamera.top^
|
||
||oncast.top^
|
||
||mimibox.top^
|
||
||voicecontrol.top^
|
||
||signaltalk.top^
|
||
||oncamera.vip^
|
||
||dalbam.vip^
|
||
||mimimsg.net^
|
||
||signal-live.vip^
|
||
||tele-gram.vip^
|
||
||vtalk.vip^
|
||
||a-video.vip^
|
||
||livetalk.vip^
|
||
||livetalk.top^
|
||
||download-file.top^
|
||
||grd77.cn^
|
||
||mimicwt.net^
|
||
||super-voice.vip^
|
||
||mimi18s.top^
|
||
||momomsg.top^
|
||
||live-live.vip^
|
||
||zerobyte.top^
|
||
||zerobt.net^
|
||
||w-video.vip^
|
||
||ser-chat.com^
|
||
||tocast.vip^
|
||
||videosound.vip^
|
||
||twi-tter.vip^
|
||
||my-player.vip^
|
||
||voicesupport.vip^
|
||
|
||
# Joker from https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/
|
||
||gd-1301476296.cos.na-toronto.myqcloud.com^
|
||
# Related to: https://github.com/greatsuspender/thegreatsuspender/issues/1175
|
||
# and: https://www.theregister.com/2021/01/07/great_suspender_malware/
|
||
||cdn.owebanalytics.com^
|
||
||static.trckingbyte.com^
|
||
||static.trckpath.com^
|
||
||static.privacytrck.com^
|
||
||rctphvxwnjhx.pw^
|
||
||hanstrackr.com^
|
||
|
||
# Postlo spyware - https://twitter.com/ESETresearch/status/1374889857403785218?s=20
|
||
||api.mainrepo.org^
|
||
|
||
# EvilEye malware C2s mentioned at https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/
|
||
||anayurt.net^
|
||
||apkprue.info^
|
||
||geo2ipapi.org^
|
||
||gotossl.ml^
|
||
||icptime.com^
|
||
||istiqlaihaber.com^
|
||
||misran.org^
|
||
||newyorkingsite.com^
|
||
||playgoog1e.com^
|
||
||preservtyg.com^
|
||
||sslportservices.com^
|
||
||strunhvgpk.com^
|
||
||uhtpuerdfbnm.com^
|
||
||uyghur-news.com^
|
||
||uyghur-soft-market.com^
|
||
||uyghurhaber.com^
|
||
||www.apkhl.pw^
|
||
||apkhl.pw^
|
||
||www.apkpure.bz^
|
||
||apkpure.bz^
|
||
|
||
# Xcodespy - https://labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/
|
||
||www.liveupdate.cc^
|
||
||www.appmarket.co^
|
||
||www.recentnews.cc^
|
||
||www.truckrental.cc^
|
||
||www.everestnote.com^
|
||
||www.alinbox.co^
|
||
||www.suppro.co^
|
||
|
||
# APKPure compromise by Triada malware - https://securelist.com/apkpure-android-app-store-infected/101845/
|
||
||wcf.seven1029.com^
|
||
||foodin.site^
|
||
|
||
# Triada from https://securelist.com/triada-trojan-in-whatsapp-mod/103679/
|
||
# Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de
|
||
||t1k22.c8xwor.com^
|
||
||dgmxn.c8xwor.com^
|
||
|
||
# Tutela technologies - f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc - org.speedspot.speedanalytics
|
||
||upload-tutelawest.s3-accelerate.amazonaws.com^
|
||
||reporting.tutelatechnologies.com^
|
||
||video-url.tutelatechnologies.com^
|
||
||hail-reporting.tutelatechnologies.com^
|
||
||d3clybje3sun07.cloudfront.net^
|
||
|
||
# speedspot - reports GPS location, other data - SpeedtestResultViews.java - inside f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc
|
||
||api.speedspot.org^
|
||
||www.speedcheck.org^
|
||
||net.etrality.com^
|
||
||a2.etrality.com^
|
||
||a1.etrality.com^
|
||
||c4.etrality.com^
|
||
||b3.etrality.com^
|
||
||c3.etrality.com^
|
||
||b2.etrality.com^
|
||
||c2.etrality.com^
|
||
||b1.etrality.com^
|
||
||c1.etrality.com^
|
||
||wpc.A3CD.edgecastcdn.net^
|
||
||speedspot.speedspot.netdna-cdn.com^
|
||
||www.speedspot5.com^
|
||
||www.speedspot1.com^
|
||
||www.speedspot7.com^
|
||
||www.speedspot2.com^
|
||
||www.speedspot3.com^
|
||
||www.speedspot4.com^
|
||
||www.speedspot6.com^
|
||
|
||
#Kochava endpoints, from rugabunda https://beta.pithus.org/report/844aa271ef47f7807ab3ccc63952e2215298701a6851857c22456317927f08fd
|
||
||co.akisinn.info^
|
||
||co.dewrain.life^
|
||
||co.vaicore.site^
|
||
||co.vaicore.xyz^
|
||
||int.akisinn.info^
|
||
||int.akisinn.me^
|
||
||int.akisinn.site^
|
||
||int.dewrain.life^
|
||
||int.dewrain.site^
|
||
||int.dewrain.world^
|
||
||int.vaicore.site^
|
||
||int.vaicore.store^
|
||
||int.vaicore.xyz^
|
||
||int.vlancaa.site^
|
||
||int.vlancaa.fun^
|
||
||tok.vaicore.xyz^
|
||
||vaicore.xyz^
|
||
||web.ab-salute.com^
|
||
||smart.link^
|
||
|
||
# Adeco and inappertising - see https://www.occrp.org/en/investigations/how-a-russian-mobile-app-developer-recruited-phones-into-a-secret-ad-watching-robot-army
|
||
# Ultimate-Mortal-Kombat-3-v1-1.apk - https://www.virustotal.com/gui/file/dc078b004830ff03a27371bbc1c4a7b5882d5a0fb577a8477c09e8b3bfe0d6d3/details
|
||
||cfg.inappertising.org^
|
||
||stats.inappertising.org^
|
||
||app-stats.net2share.com^
|
||
||s.net2share.com^
|
||
||adeco.adecosystems.com^
|
||
||dd.adecosystems.com^
|
||
|
||
# GriftHorse Android from - https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/
|
||
||hotofecro.com^
|
||
||alaiblompass.com^
|
||
||heartratteandpulsetracker.com^
|
||
||icoonectedtrack.com^
|
||
||ospocatracker.com^
|
||
||laalaslirayeblection.com^
|
||
||iblompass.com^
|
||
||smalllcalllrecorder.com^
|
||
||anguaganslatast.com^
|
||
||oroscopemestry.com^
|
||
||blompascator.com^
|
||
||leunoon.com^
|
||
||arindocation.com^
|
||
||rooitor.com^
|
||
||mychattranslator.club^
|
||
||rulapptoplan.com^
|
||
||rportranslator.com^
|
||
||muslimasauda.com^
|
||
||martpolocator.com^
|
||
||wfupppx.com^
|
||
||scandocnotes.com^
|
||
||freecoupon21.com^
|
||
||ponyvideochat.com^
|
||
||ludamec.com^
|
||
||chat-transa.com^
|
||
||soulscanneryh.com^
|
||
||d3cameraplan.com^
|
||
||qibla-ultima.com^
|
||
||zoofanimalm.com^
|
||
||ciaolvc.com^
|
||
||heartrateproxhealthmonitor.com^
|
||
||bus-metrolis.com^
|
||
||truck-rouddrive.com^
|
||
||locatinfind.com^
|
||
||camerdentifier.com^
|
||
||locatorqiafindlocation.com^
|
||
||cocachar.com^
|
||
||squishyp.com^
|
||
||antranslaro.com^
|
||
||ftphotom.com^
|
||
||lockul.com^
|
||
||fingerprihanger.com^
|
||
||locatorshar.com^
|
||
||kfcwsa.com^
|
||
||gpsphonuetrackerfamilylocator.com^
|
||
||cailrecorder.com^
|
||
||tqiblacompas.com^
|
||
||kvprojectop.com^
|
||
||pikchoeditor.com^
|
||
||streetprocarsracingss.com^
|
||
||nemaeovies.com^
|
||
||aecodero.com^
|
||
||ivlewepapallrbkragonucd.com^
|
||
||heartrateandmealtracker.com^
|
||
||phonecontrolblockspamcalls.com^
|
||
||etcotater.com^
|
||
||canopoument.com^
|
||
||locxfindxlocx.com^
|
||
||mnesytrlatr.com^
|
||
||huntcontactz.com^
|
||
||intelgenttran.com^
|
||
||facenalyer.com^
|
||
||fnbdeiegpslocoiatntcrkaer.com^
|
||
||trcalluecodr.com^
|
||
||qrreaderpro.com^
|
||
||itranstxtvoicepht.com^
|
||
||qiberiblaon.com^
|
||
||iconylc.com^
|
||
||lsepeanitor.com^
|
||
||fxkwboard.com^
|
||
||dehcoveanager.com^
|
||
||tickeakhatsp.com^
|
||
||phoneboster.com^
|
||
||phonfinbyclap.com^
|
||
||aralaper.com^
|
||
||qibdirctiowa.com^
|
||
||islsrickers.com^
|
||
||feartranslator.com^
|
||
||vpnzfep.com^
|
||
||snaplens-pt.com^
|
||
||qiblassirection.com^
|
||
||easyvshow.com^
|
||
||qibla-quran.com^
|
||
||qrcodesscan.com^
|
||
||hoolives.com^
|
||
||burivingsim.com^
|
||
||coupongiftsnstashop.com^
|
||
||fingdefend.com^
|
||
||projectormp.com^
|
||
||forzahmobile.com^
|
||
||artateulseonitor.com^
|
||
||sslasmr.com^
|
||
||bagscaner.com^
|
||
||phonecallerscreen.com^
|
||
||datingappswmt.com^
|
||
||lifeel-scan.com^
|
||
||colorizerset.club^
|
||
||expresscreditcash.com^
|
||
||ccallerx.com^
|
||
||transatitonneap.com^
|
||
||lasouncherio.com^
|
||
||claptfindzmphone.com^
|
||
||mirrorscreencasttvv.com^
|
||
||ircleocatinder.com^
|
||
||mobleingsder.com^
|
||
||proocallerr.com^
|
||
||frecalwolwid.com^
|
||
||allelpcoonmber.com^
|
||
||faspulhearratmoni.com^
|
||
||fincconttact.com^
|
||
||uncherdroid.com^
|
||
||iveilembercker.com^
|
||
||lepamcker.com^
|
||
||lockaaocker.com^
|
||
||onarchbylap.com^
|
||
||secontranslatpr.com^
|
||
||tgscontakcs.com^
|
||
||lockaaocker.com^
|
||
||callwhozdine.com^
|
||
||perargero.com^
|
||
||mylocatorplus.club^
|
||
||comclap.club^
|
||
||callerids.club^
|
||
||instantspeechtranslation.club^
|
||
||photoeditorbest.club^
|
||
||piction.club^
|
||
||driveriders.club^
|
||
||skycoachgg.club^
|
||
||ffitnesstrainer.club^
|
||
||racerscardriver.club^
|
||
||fitnessdias.club^
|
||
||meetingonlinechat.club^
|
||
||fitnessgymup.club^
|
||
||editsbackground.club^
|
||
||cutcutpro.club^
|
||
||drivingexpiriencesimulator.club^
|
||
||clipbuddy.club^
|
||
||horoscopefortune.club^
|
||
||ludospeakeasy.club^
|
||
||fitnesspoint.club^
|
||
||wallvoluminousfourk.club^
|
||
||cvectorart.club^
|
||
||ludospeakv2.club^
|
||
||callrecordpro.club^
|
||
||carracer.club^
|
||
||slimesimulator.club^
|
||
||offroaderssurvive.club^
|
||
||lending-online.club^
|
||
||controlcenterios.club^
|
||
||callerids.club^
|
||
||carracer.club^
|
||
||streetracingg.club^
|
||
||checkheart.club^
|
||
||keyboardthemes.club^
|
||
||whatsmesticker.club^
|
||
||batterychargingeffect.club^
|
||
||luxoreditor.club^
|
||
||lionflix.club^
|
||
||amazingvideoeditor.club^
|
||
||zodiachand.club^
|
||
||zeusalmighty.club^
|
||
||pharaohsadventure.club^
|
||
||batterylivewallpaperhd.club^
|
||
||comqubla.club^
|
||
||safelock.club^
|
||
||heartrhythm.club^
|
||
||easybassbooster.club^
|
||
||comphotolab.club^
|
||
|
||
# GriftHorse Second-Stage Domain
|
||
||678ikmbtui.com^
|
||
|
||
# GriftHorse Third-Stage Domains
|
||
||safe-link.mobi^
|
||
||at.gogameportal.club^
|
||
||activate-your-account-now.com^
|
||
||continue-to-get-content-now.com^
|
||
||your-access-here.com^
|
||
||app.buenosocial.club^
|
||
||join.crazymob.co^
|
||
||vl.denrok.space^
|
||
||www.timpromos.com.br^
|
||
||campaignmanager.fun.moobig.com^
|
||
||get-your-access-now.com^
|
||
||v.mobzones.com^
|
||
||mt2-sdp4.mt-2.co^
|
||
||go.whatabookmark.com^
|
||
||lp.shoopadoo.com^
|
||
||es.mobiplus.me^
|
||
||af.to.123games.club^
|
||
||be.startdownload.mobi^
|
||
||za.startdownload.mobi^
|
||
||n.appspool.net^
|
||
||wap.trend-tech.net^
|
||
||fr.chillaxgames.mobi^
|
||
||tracking.hexilo.com^
|
||
|
||
# Suspected GriftHorse from pDNS 185.255.179.131 / 185.255.179.132 ->
|
||
||1g7kvrv.xyz^
|
||
||2fnoqifq.com^
|
||
||2g8cvdii.com^
|
||
||2oafxcbq.xyz^
|
||
||5rfvbnji9.com^
|
||
||7lc6jc.xyz^
|
||
||7nvdx0.xyz^
|
||
||8sghnct.xyz^
|
||
||berf4o.xyz^
|
||
||blfnf9y.com^
|
||
||brlyp4pg.com^
|
||
||chulahfi.xyz^
|
||
||cmvkvncsse.xyz^
|
||
||cophico.pw^
|
||
||cwkjravqsj.xyz^
|
||
||dhfvbsihjf.com^
|
||
||dsfhskln.com^
|
||
||eksndtpf.org^
|
||
||emraiyz.xyz^
|
||
||eok8wd5v.net^
|
||
||erbfzk.com^
|
||
||ersokbkj.com^
|
||
||fdfjhks.com^
|
||
||ffnbafc.xyz^
|
||
||hrvxkxq.xyz^
|
||
||il0baz.com^
|
||
||jduzuyd.com^
|
||
||jsdfbhsa.com^
|
||
||jydfoafcaf.xyz^
|
||
||kgr0aixa.xyz^
|
||
||krkmyvlmdg.xyz^
|
||
||lgdzbch.com^
|
||
||liahkhe.xyz^
|
||
||lljmbbk.com^
|
||
||lmbbnrhiuj.xyz^
|
||
||lwvurdsjk.org^
|
||
||lxghjoxzns.com^
|
||
||mnfbodivbv.com^
|
||
||mt5vsuf1.net^
|
||
||nfrmg1y.xyz^
|
||
||nwluoodzct.xyz^
|
||
||ocheyhv.xyz^
|
||
||okjojihgv.com^
|
||
||olimob.net^
|
||
||ortn13der.xyz^
|
||
||poiuwhejgr.com^
|
||
||pwtgnp.pw^
|
||
||qtwjhuj.com^
|
||
||rfjdhxbz.com^
|
||
||sjkfsdkg.com^
|
||
||trfvbnji7.com^
|
||
||urtyhfds.com^
|
||
||v9czaci.xyz^
|
||
||vortnomade.net^
|
||
||w9x7itu.xyz^
|
||
||www.mnfbodivbv.com^
|
||
||www.okjojihgv.com^
|
||
||y0vvbm.xyz^
|
||
||yq0z3d.xyz^
|
||
|
||
# additional suspected GriftHorse from pDNS - 2021-10-21
|
||
||down.tracksz.co^
|
||
||go.creativemobilemarketing.com^
|
||
||go.fastfinderworld.com^
|
||
||go.grandprizewinners.com^
|
||
||go.interlinkinternet.com^
|
||
||go.protectyoursearch.com^
|
||
||go.trackitalltheway.com^
|
||
||go.trackiteazy.com^
|
||
||go.watchwiser.com^
|
||
|
||
# TangleBot domains, research based on - https://www.cloudmark.com/en/blog/mobile/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19
|
||
||covid19-ca.link^
|
||
||hydro-ca.link^
|
||
||sock.godforgiveuss.live^
|
||
||sock.hhhhrkanandda.xyz^
|
||
||sock.nmnmnmfsamsfan.xyz^
|
||
||socktest.ankatras.xyz^
|
||
||vaccine-appointment.link^
|
||
|
||
# Donot / Origami Elephant / APT-C-35 IOCs from Amnesty - https://github.com/AmnestyTech/investigations/blob/master/2021-10-07_donot/domains.txt
|
||
||bulk.fun^
|
||
||apkv5.ppadaolnwod.xyz^
|
||
||apkv6.endurecif.top^
|
||
||getelements.xyz^
|
||
||fiddaz.club^
|
||
||lif0.top^
|
||
||fif0.top^
|
||
||chipp.pw^
|
||
||mimestyle.xyz^
|
||
||mangasiso.top^
|
||
||and.retardrattle.website^
|
||
||help.domainoutlet.site^
|
||
||whynotworkonit.top^
|
||
||spectronet.pw^
|
||
||full.naturalpercent.life^
|
||
||mimeversion.top^
|
||
||rythemsjoy.club^
|
||
||lowlight.xyz^
|
||
||inapturst.top^
|
||
||auth.forwardtoken.website^
|
||
||accounts.loginshare.info^
|
||
||seahome.top^
|
||
||imageview.xyz^
|
||
||flickry.xyz^
|
||
||apkv2.qwertykeypad.host^
|
||
||userauthen.pw^
|
||
||join.officeframe.work^
|
||
||zumba.tampotrust.agency^
|
||
||image.loadingmessage.info^
|
||
|
||
# AbstractEmu hosts from https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign
|
||
||jobs.illaewinstralinc.com^
|
||
||outline.abunddhighett.com^
|
||
||tags.illaryboucnc.com^
|
||
||cloud.nathompsstra.com^
|
||
||store.dianmpsoathom.com^
|
||
||fluency.ryboucoathom.com^
|
||
||csa.naaronegya.com^
|
||
||tips.ghetaldhighe.com^
|
||
||color.joarteauxelb.com^
|
||
|
||
# Cynos hosts from https://vms.drweb.com/virus/?i=24972842 - 46bc4c6c87fcb519a8f315c0010b949d682ac3abee62b33bd624b251a3521b19
|
||
|
||
||dns1.sdkbalance.com^
|
||
||dns2.sdkbalance.com^
|
||
||dns3.sdkbalance.com^
|
||
||sdk.sdkbalance.com^
|
||
||mg.sdkbalance.com^
|
||
|
||
# PhoneSpy hosts from https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/ and pDNS related
|
||
|
||
||acd.kcpro.ga^
|
||
||aki.kcpro.ga^
|
||
||arr.kcpro.tk^
|
||
||b.freespy1.ml^
|
||
||b.freespy1.tk^
|
||
||c.freespy1.ml^
|
||
||c.freespy1.tk^
|
||
||cef.kcpro.tk^
|
||
||cfs.kcpro.ga^
|
||
||d.freespy1.ml^
|
||
||d.freespy1.tk^
|
||
||dto.kcpro.ga^
|
||
||e.freespy1.ml^
|
||
||ejn.kcpro.ga^
|
||
||ern.kcpro.ga^
|
||
||f.freespy1.ml^
|
||
||f.freespy1.tk^
|
||
||freespy.cf^
|
||
||g.freespy1.ml^
|
||
||g.freespy1.tk^
|
||
||h.freespy1.ml^
|
||
||h.freespy1.tk^
|
||
||hxg.kcpro.ga^
|
||
||i.freespy1.ml^
|
||
||i.freespy1.tk^
|
||
||j.freespy1.ml^
|
||
||j.freespy1.tk^
|
||
||k.freespy1.ml^
|
||
||k.freespy1.tk^
|
||
||koreavopi.kro.kr^
|
||
||l.freespy1.ml^
|
||
||l.freespy1.tk^
|
||
||m.freespy1.ml^
|
||
||m.freespy1.tk^
|
||
||mda.kcpro.ga^
|
||
||mgo.kcpro.ga^
|
||
||n.freespy1.ml^
|
||
||n.freespy1.tk^
|
||
||o.freespy1.ml^
|
||
||o.freespy1.tk^
|
||
||oso.kcpro.ga^
|
||
||p.freespy1.ml^
|
||
||p.freespy1.tk^
|
||
||pql.kcpro.ga^
|
||
||wvv.kcpro.ga^
|
||
||ydc.kcpro.ga^
|
||
||zqn.kcpro.ga^
|
||
||zsx.kcpro.ga^
|
||
|
||
# https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/
|
||
||mobile.measurelib.com^
|
||
||measurelib.com^
|
||
||ami0wned.com^
|
||
||amiowned.com^
|
||
||arduous.work^
|
||
||attorney-client-privileged.com^
|
||
||attorney-client.org^
|
||
||attorneyclientprivileged.com^
|
||
||beachhackerspace.com^
|
||
||cloudwatchtower.com^
|
||
||consilio.lawyer^
|
||
||consiliolaw.com^
|
||
||darknetinfo.com^
|
||
||dataillusionist.com^
|
||
||easycalea.com^
|
||
||extremeexploits.com^
|
||
||extremeexploits.org^
|
||
||fraudpreventionsys.com^
|
||
||gleancorp.com^
|
||
||idme.org^
|
||
||indelibleblue.net^
|
||
||indelibleblueinc.net^
|
||
||internetcartography.com^
|
||
||internetcartography.net^
|
||
||internetcartography.org^
|
||
||littoralventures.com^
|
||
||marketinfo.tips^
|
||
||measurementsys.com^
|
||
||mxout.net^
|
||
||myaddress.today^
|
||
||ndagri.com^
|
||
||networkcartography.com^
|
||
||networkcartography.net^
|
||
||networkcartography.org^
|
||
||newdulcina.com^
|
||
||opensourcecontext.com^
|
||
||oppleman.org^
|
||
||oscontext.com^
|
||
||pathanalyzer.com^
|
||
||pathanalyzerpro.com^
|
||
||precise.fit^
|
||
||pwhois.net^
|
||
||pwhois.org^
|
||
||quietquell.com^
|
||
||trustcor.co^
|
||
||vbchs.com^
|
||
||vbchs.org^
|
||
||vbhacker.space^
|
||
||vbhackerspace.com^
|
||
||vbhackerspace.org^
|
||
||vostrom.ventures^
|
||
||whoisanalyzer.com^
|
||
||whoisanalyzerpro.com^
|
||
||mobile.fra2.measurelib.com^
|
||
||mobile.ams2.measurelib.com^
|
||
|
||
# Telematicsdirect - from al-moazin-lite-prayer-times.apk - dcb56dc7b817dd65a1f5ebfe81cf36b85ad523990b8e4f69a4a1654d1cc8277c
|
||
||nav.telematicsdirect.com^
|
||
|
||
# SafeGraph / OpenLocate
|
||
# https://github.com/pablobaxter/openlocate-android
|
||
# https://www.vice.com/en/article/m7vymn/cdc-tracked-phones-location-data-curfews
|
||
||api.safegraph.com^
|
||
|
||
# daily-scratchers.apk / 22a80df1084af11129baef89bce0bafad0aaae41e58dc2bb6e7c27fd3f4bac49 / me.actv8.tvwallet
|
||
||actv8technologies.com^
|
||
||api-production-v4.actv8technologies.com^
|
||
||sonar.actv8technologies.com^
|
||
|
||
# Joker - RelaxingMusicSootheYourBody_signed.apk - 14c35d1158cc47cfb605fdd686603b0929d38c046dce03fd6033fb8a31433798
|
||
||novasdk.oss-cn-beijing.aliyuncs.com^
|
||
|
||
# Joker - https://github.com/DoctorWebLtd/malware-iocs/tree/master/Android.Joker
|
||
# Note: domain offline since Feb 2022
|
||
||ad.mobnv.com^
|
||
# pDNS for 161.117.252.102
|
||
||app.mobnv.com^
|
||
||aff.fortunnecat.com^
|
||
|
||
# WhatsApp mod distributed through legitimate apps:
|
||
# https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/?utm_source=everyonesocial&utm_medium=partner&utm_campaign=us_NA-newsletter_en0177&utm_content=sm-post&utm_term=us_everyonesocial_organic_an17748oyfteksz&es_id=cfde1a3994
|
||
||wa.zcnewy.com^
|
||
||av2wg.rt14v.com^
|
||
||g1790.rt14v.com^
|
||
|
||
# xnspy - 578a880848bc52bed83b2be817a148187fde129cc8ad50db49630c0ebf59102c - xnspyappv2.apk
|
||
# https://techcrunch.com/2022/12/12/xnspy-stalkerware-iphone-android/
|
||
||alert.xiz4me.com^
|
||
||asset.xiz4me.com^
|
||
||sync.xiz4me.com^
|
||
||xiz4me.com^
|
||
||mydwnd.com^
|
||
||brilliant-flame-585.firebaseio.com^
|
||
||brilliant-flame-585.appspot.com^
|
||
# xnspy - 7e3930771370ed111cdb83397a04fa7ee89f1ea35b7f5306bb1522b82bc6d38d
|
||
||sync.bk128.com^
|
||
||alert.bk128.com^
|
||
||asset.bk128.com^
|
||
||bk128.com^
|
||
# xnspy - 9114e561c42ea19b183ef5d8a36e743f2b873874e43d805b11e3753035c7900d
|
||
||true-truck-86810.firebaseio.com^
|
||
||true-truck-86810.appspot.com^
|
||
|
||
# Fleckpe - from https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/
|
||
||ac.iprocam.xyz^
|
||
||ad.iprocam.xyz^
|
||
||ap.iprocam.xyz^
|
||
||b7.photoeffect.xyz^
|
||
||ba3.photoeffect.xyz^
|
||
||f0.photoeffect.xyz^
|
||
||m11.slimedit.live^
|
||
||m12.slimedit.live^
|
||
||m13.slimedit.live^
|
||
||ba.beautycam.xyz^
|
||
||f6.beautycam.xyz^
|
||
||f8a.beautycam.xyz^
|
||
||ae.mveditor.xyz^
|
||
||b8c.mveditor.xyz^
|
||
||d3.mveditor.xyz^
|
||
||fa.gifcam.xyz^
|
||
||fb.gifcam.xyz^
|
||
||fl.gifcam.xyz^
|
||
||a.hdmodecam.live^
|
||
||b.hdmodecam.live^
|
||
||l.hdmodecam.live^
|
||
||vd.toobox.online^
|
||
||ve.toobox.online^
|
||
||vt.toobox.online^
|
||
||t1.twmills.xyz^
|
||
||t2.twmills.xyz^
|
||
||t3.twmills.xyz^
|
||
||api.odskguo.xyz^
|
||
||gbcf.odskguo.xyz^
|
||
||track.odskguo.xyz^
|
||
|
||
#AhRat - see https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/
|
||
||order.80876dd5.shop^
|
||
#AhRat - b2c1517e4b0e0b3286a5cde06310b2277da7333f5ab3c2828f08272e3f85b260 - iRecorder - Screen Recorder_2.0_apkcombo.com.apk
|
||
||config.unityads.unity3d.com^
|
||
||config.unityads.unitychina.cn^
|
||
||init.supersonicads.com^
|
||
||logs.supersonic.com^
|
||
||outcome-ssp.supersonicads.com^
|
||
||supersonicads.com^
|
||
|
||
# uBlock telemetry endpoint - adblock-stats.js inside a01ff7dac823f3666e7f38527739802e5a7ce3cb539b6a390ca99d423b5c9779
|
||
# data sent even if telemetry is disabled
|
||
||ublocker-chrome.com^
|
||
|
||
# Cytrox Predator domains, see - https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/
|
||
||almal-news.com^
|
||
||chat-support.support^
|
||
||cibeg.online^
|
||
||notifications-sec.com^
|
||
||wa-info.com^
|
||
||whatssapp.co^
|
||
||wts-app.info^
|
||
||sec-flare.com^
|
||
||verifyurl.me^
|
||
||c.betly.me^
|
||
||betly.me^
|
||
||web.whatssapp.co^
|
||
||whatspp.wa-info.com^
|
||
||notifications.wa-info.com^
|
||
||t-bit.me^
|
||
|
||
# PEACHPIT and BADBOX, extended infrastructure (expansion by @craiu), see - https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf
|
||
||adbsc.flyermobi.com^
|
||
||adbsc.ikmytech.com^
|
||
||adbsdk.flyermobi.com^
|
||
||admin.dofunapps.com^
|
||
||ads.dofunapps.com^
|
||
||ads.flyermobi.com^
|
||
||apkcar.com^
|
||
||ats.flyermobi.com^
|
||
||ats.ikmytech.com^
|
||
||cbphe.com^
|
||
||cbpheback.com^
|
||
||dcylog.com^
|
||
||flyermobi.com^
|
||
||n1.flyermobi.com^
|
||
||sdk.dofunapps.com^
|
||
||www.apkcar.com^
|
||
||www.flyermobi.com^
|
||
||ycxrl.com^
|
||
||ymex.apkcar.com^
|
||
||ymlog.apkcar.com^
|
||
||ymsdk.apkcar.com^
|
||
|
||
# Unityads from https://github.com/Unity-Technologies/unity-ads-ios
|
||
||scar.unityads.unity3d.com^
|
||
||webviewbridge.unityads.unity3d.com^
|
||
||unityads.unity3d.com^
|
||
||gateway.unityads.unity3d.com^
|