mirrors
/
mobiletrackers
mirror of https://github.com/craiu/mobiletrackers.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mobiletrackers/list-ABP.txt

1013 lines
28 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Various telemetry endpoints (hosts and domains) used by mobile location tracking libraries
# Contact: mobiletrackers [at] protonmail.ch
# See: https://github.com/craiu/mobiletrackers/
# Version 1.46 - 2024-02-07
#
# xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
||bin5y4muil.execute-api.us-east-1.amazonaws.com^
# unknown, possibly xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
||8balwalz1i.execute-api.us-east-2.amazonaws.com^
# unknowns - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
||api.smartechmetrics.com^
||ck-running-apps-700f1.firebaseio.com^
||pie.wirelessregistry.com^
# unknowns - 010f7bb33f35cc650b7d6104b07102eb0dbaf79bcec1f1c6255fdcaffefe6b68 - com.davidsukhin.com.sukhin.snowdaycalculator.SnowDay
# URLs below stored as base64 and encrypted xor 0x09 ->
||udata.elephantdata.net^
||atb.bearclod.com^
#pDNS data for the IPs associated with atb.bearclod.com ->
||alb.bearclod.com^
||aly.bearclod.com^
||alz.bearclod.com^
||atb.bearclod.com^
||bivitis.bearclod.com^
||brt.bearclod.com^
||brul.bearclod.com^
||hfstat.bearclod.com^
||hkn01.bearclod.com^
||ply.bearclod.com^
||zoo.bearclod.com^
# crashlytics - 4711634730d5367756bba4d776d846b01b8d0373336ea877a2c20b1da0a95477 - com.sgiggle.production_5.2.229629_1538560344.apk
||settings.crashlytics.com^
||e.crashlytics.com^
# starbolt - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
||sdk.starbolt.io^
||dmp.starbolt.io^
||devices.starbolt.io^
# sense360 ? - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
||android-quinoa-config-prod.sense360eng.com^
||survey-notify-event.sense360eng.com^
||quinoa-personal-identify-prod.sense360eng.com^
# appmeasurement - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
||app-measurement.com^
# newrelic - 2d4c9c037db43704f52968c9c363cbdf382cbb6a4b9143825f6e8b523b7c0c01 - com.crowdcompass.appmQaIam3e7C.apk
||mobile-collector.newrelic.com^
||mobile-crash.newrelic.com^
# Xiao mi related telemetry endpoints - see https://twitter.com/hookgab/status/1255859289945780225
||data.mistat.india.xiaomi.com^
||data.mistat.intl.xiaomi.com^
||data.mistat.rus.xiaomi.com^
||tracking.rus.miui.com^
||tracking.intl.miui.com^
||tracking.india.miui.com^
# from https://twitter.com/cybergibbons/status/1256703550954057729
||sa.api.intl.miui.com^
||sa.api.india.miui.com^
||sa.api.rus.miui.com^
# new xmodesocial - from https://mobile.twitter.com/guardianiosapp/status/1262545645941874689
||api.myendpoint.io^
# aggressive advertisers - https://securelist.com/in-app-advertising-in-android/97065/
# 1eeda6306a2b12f78902a1bc0b7a7961 com.android.ggtoolkit_tw_xd
# 134283b8efedc3d7244ba1b3a52e4a92 com.xprodev.cutcam
# 3aba867b8b91c17531e58a9054657e10 com.powerd.cleaner
||ti.domainforlite.com^
||uu.domainforlite.com^
# pDNS resolutions for uu.domainforlite.com, hosting on 47.252.80.195
||adserver.hahamobi.com^
||analytics.hahamobi.com^
||analytics.salmonads.com^
||api.salmonads.com^
||dat.funheroic.com^
||lg.luckyforworlds.com^
||lg.requestads.com^
||lg.smardroid.com^
||log.adywind.com^
||log.mobpowertech.com^
||net.hahamobi.com^
||net.salmonads.com^
||us01.salmonads.com^
||uu.domainforlite.com^
# mobile ads, 2020-07-07, additions from https://securelist.com/pig-in-a-poke-smartphone-adware/97607/
||www.ywupscsff.com^
||www.mzeibiyr.com^
||i151125.infourl.net^
||www.jueoxdr.com^
||ufz.doesxyz.com^
||htapi.getapiv8.com^
||stable.icecyber.org^
||404mobi.com^
||51ginkgo.com^
||lbjg7.com^
||bigdata800.com^
||apd1.warnlog.com^
||apd1.thunup.com^
# mintegral, 2020-08-30, described at: https://snyk.io/research/sour-mint-malicious-sdk/
||n.systemlog.me^
||setting.rayjump.com^
||analytics.rayjump.com^
# from pDNS on n.systemlog.me ->
||net.cleverjp.com^
# from fake NEXTALIVE (moonfair) application - https://www.zdnet.com/article/google-removes-android-app-that-was-used-to-spy-on-belarusian-protesters/
||arcpi.nextialive.roimaster.site^
||api.nextialive.roimaster.site^
||ws.nextialive.roimaster.site^
||nextialive.roimaster.site^
||api.dev.chat.roimaster.site^
||dev.chat.roimaster.site^
# Joker download URLs / hosts as described by ZScaler - https://www.zscaler.com/blogs/security-research/joker-playing-hide-and-seek-google-play
||2j1i9uqw.oss-eu-central-1.aliyuncs.com^
||blackdragon03.oss-ap-southeast-5.aliyuncs.com^
||blackdragon.oss-ap-southeast-5.aliyuncs.com^
||fgcxweasqw.oss-eu-central-1.aliyuncs.com^
||jk8681oy.oss-eu-central-1.aliyuncs.com^
||laodaoo.oss-ap-southeast-5.aliyuncs.com^
||laodaoo.oss-ap-southeast-5.aliyuncs.com^
||n47n.oss-ap-southeast-5.aliyuncs.com^
||nineth03.oss-ap-southeast-5.aliyuncs.com^
||proxy48.oss-eu-central-1.aliyuncs.com^
||rinimae.oss-ap-southeast-5.aliyuncs.com^
||sahar.oss-us-east-1.aliyuncs.com^
# Cerberus C2s as described by BitDefender - https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/
||2fapass.club^
||androidradio.life^
||downdating.club^
||fitnessstrategy.xyz^
||groovefitness.xyz^
||loversfinder.xyz^
||positivefitness.club^
||safeyourdata.xyz^
||sport4ever.club^
||vipyoga.today^
||weatherclub.club^
||yoga4u.xyz^
# unknown (?) telemetry receiving endpoints from:
# 066de93f181e9cbcb8611c675bbcb0fc - com.speedcamera.detector.radar.detector.direction
||yqchpwxvbg.execute-api.us-east-1.amazonaws.com^
||pn8sm7rjuc.execute-api.us-east-1.amazonaws.com^
# venntel / gravy analytics from https://github.com/sociam/PROWISH/blob/master/data/200appsdynamic.csv
# venntel / gravy analytics from https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf
# gravy analytics docs - http://developers.findgravy.com/products/gold-api/docs/index2.html
||api.findgravy.com^
||nwzhmwux-api.findgravy.com^
||zmq5ytc1-api.findgravy.com^
||mtm1nwmx-api.findgravy.com^
||gravyanalytics.com^
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
||ws.findgravy.com^
||api.foozor.com^
||testapi.foozor.com^
# potentially related hosts on top of findgravy.com
||img01.findgravy.com^
||img02.findgravy.com^
||img03.findgravy.com^
||img04.findgravy.com^
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
||pushapi.localytics.com^
||analytics.localytics.com^
||profile.localytics.com^
# cuebiq location sdk from ->
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
||in.cuebiq.com^
||ingestion-api.kiwi.sand.cuebiq.ai^
# nodle.io sdk from ->
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
||dev.nodle.io^
||us-central1-production-242307.cloudfunctions.net^
# unknown sdk from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass possibly xmode related
||api.smartechmetrics.com^
# more crashlytics hosts from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
||firebase-settings.crashlytics.com^
||update.crashlytics.com^
||reports.crashlytics.com^
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass ->
||pixelprose.fr^
# appsflyer from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
||onelink.me^
||onelnk.com^
||app.aflink.com^
||t.appsflyer.com^
# other various telemetry endpoints (not necessarily location related) from from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
||api.mixpanel.com^
||decide.mixpanel.com^
||cdn.optimizely.com^
||logx.optimizely.com^
||outline.truecaller.com^
||api4.truecaller.com^
||c.webengage.com^
||p.webengage.com^
||api.branch.io^
||bnc.lt^
||cdn.branch.io^
||e.crashlytics.com^
||settings.crashlytics.com^
||js.intercomcdn.com^
||mobile-sdk-api.intercom.io^
# Clevertap's wzrkt.com - also see https://twitter.com/fs0c131y/status/977267255309463554
||wzrkt.com^
||in.wzrkt.com^
# subdomains from wzrkt.com - https://subdomainfinder.c99.nl/scans/2020-04-19/wzrkt.com
||api.wzrkt.com^
||cb.wzrkt.com^
||eu1-spiky.wzrkt.com^
||eu1.alb.wzrkt.com^
||eu1.wzrkt.com^
||in.cb.wzrkt.com^
||in1-spiky.wzrkt.com^
||in1.alb.wzrkt.com^
||in1.wzrkt.com^
||sg1-spiky.wzrkt.com^
||sg1.cb.wzrkt.com^
||sg1.wzrkt.com^
||sk1-spiky.wzrkt.com^
||sk1-staging-1.wzrkt.com^
||sk1-staging-10.wzrkt.com^
||sk1-staging-2.wzrkt.com^
||sk1-staging-3.wzrkt.com^
||sk1-staging-4.wzrkt.com^
||sk1-staging-5.wzrkt.com^
||sk1-staging-6.wzrkt.com^
||sk1-staging-7.wzrkt.com^
||sk1-staging-8.wzrkt.com^
||sk1-staging-9.wzrkt.com^
||sk1.wzrkt.com^
||us1-spiky.wzrkt.com^
||us1.cb.wzrkt.com^
||us1.wzrkt.com^
# from cb9f6bb72a9766ba8c805c25769b47c46751052706bb41ed333db0b42cd586ff - com.byjus.thelearningapp
# also see https://digitalwatchdog.org/wp-content/uploads/2020/09/IDAC-Ed-Tech-Report_AppendixB_SensitiveData.pdf
||api.tllms.com^
||marketing.tllms.com^
# from 09f5bcadde3351eb3f509f5a471cbd7bb00536292da560bcf8ee59eb73116f00 - luo.speedometergps
# teragence ->
||control.teragence.net^
||pfsense02-01.is-61194.teragence.net^
# tutela ->
||upload-tutelawest.s3-accelerate.amazonaws.com^
||reporting-util.tutelatechnologies.com^
||hail-reporting.tutelatechnologies.com^
||thepopulator.tutelatechnologies.com^
# huq (also from 9c53a29a7e6a871f57b20097185a09afd2ff818455a42792d502f1eb8f2e3679) ->
||api.huqindustries.co.uk^
||report.huqindustries.co.uk^
||charles.huqindustries.co.uk^
# IOCs from https://www.whiteops.com/blog/somewhere-over-the-rainbowmix
||api.pythonexample.com^
# Predicio - from Funny Weather - pl.lawiusz.funnyweather.release.apk - 6d23151e69a57f67111d4969594316576577ae8a2015aff336ab6ef0fb2a07b4
# see https://www.vice.com/en/article/epdpdm/ice-dhs-fbi-location-data-venntel-apps
||sdk.predic.io^
# Kinesis endpoint from Funny Weather:
||kinesis.ap-southeast-1.amazonaws.com^
# Complementics endpoints from 4ba50272718c95af20940912c7968410d797fbc07dcce2bad8183b94887b0ab4
||sdk-as.complementics.com^
||static.complementics.com^
# Goontact from https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail
||redvios.com^
||v-talk.top^
||v-talk.vip^
||ladysizi.top^
||mmbox.top^
||oncamera.top^
||oncast.top^
||mimibox.top^
||voicecontrol.top^
||signaltalk.top^
||oncamera.vip^
||dalbam.vip^
||mimimsg.net^
||signal-live.vip^
||tele-gram.vip^
||vtalk.vip^
||a-video.vip^
||livetalk.vip^
||livetalk.top^
||download-file.top^
||grd77.cn^
||mimicwt.net^
||super-voice.vip^
||mimi18s.top^
||momomsg.top^
||live-live.vip^
||zerobyte.top^
||zerobt.net^
||w-video.vip^
||ser-chat.com^
||tocast.vip^
||videosound.vip^
||twi-tter.vip^
||my-player.vip^
||voicesupport.vip^
# Joker from https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/
||gd-1301476296.cos.na-toronto.myqcloud.com^
# Related to: https://github.com/greatsuspender/thegreatsuspender/issues/1175
# and: https://www.theregister.com/2021/01/07/great_suspender_malware/
||cdn.owebanalytics.com^
||static.trckingbyte.com^
||static.trckpath.com^
||static.privacytrck.com^
||rctphvxwnjhx.pw^
||hanstrackr.com^
# Postlo spyware - https://twitter.com/ESETresearch/status/1374889857403785218?s=20
||api.mainrepo.org^
# EvilEye malware C2s mentioned at https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/
||anayurt.net^
||apkprue.info^
||geo2ipapi.org^
||gotossl.ml^
||icptime.com^
||istiqlaihaber.com^
||misran.org^
||newyorkingsite.com^
||playgoog1e.com^
||preservtyg.com^
||sslportservices.com^
||strunhvgpk.com^
||uhtpuerdfbnm.com^
||uyghur-news.com^
||uyghur-soft-market.com^
||uyghurhaber.com^
||www.apkhl.pw^
||apkhl.pw^
||www.apkpure.bz^
||apkpure.bz^
# Xcodespy - https://labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/
||www.liveupdate.cc^
||www.appmarket.co^
||www.recentnews.cc^
||www.truckrental.cc^
||www.everestnote.com^
||www.alinbox.co^
||www.suppro.co^
# APKPure compromise by Triada malware - https://securelist.com/apkpure-android-app-store-infected/101845/
||wcf.seven1029.com^
||foodin.site^
# Triada from https://securelist.com/triada-trojan-in-whatsapp-mod/103679/
# Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de
||t1k22.c8xwor.com^
||dgmxn.c8xwor.com^
# Tutela technologies - f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc - org.speedspot.speedanalytics
||upload-tutelawest.s3-accelerate.amazonaws.com^
||reporting.tutelatechnologies.com^
||video-url.tutelatechnologies.com^
||hail-reporting.tutelatechnologies.com^
||d3clybje3sun07.cloudfront.net^
# speedspot - reports GPS location, other data - SpeedtestResultViews.java - inside f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc
||api.speedspot.org^
||www.speedcheck.org^
||net.etrality.com^
||a2.etrality.com^
||a1.etrality.com^
||c4.etrality.com^
||b3.etrality.com^
||c3.etrality.com^
||b2.etrality.com^
||c2.etrality.com^
||b1.etrality.com^
||c1.etrality.com^
||wpc.A3CD.edgecastcdn.net^
||speedspot.speedspot.netdna-cdn.com^
||www.speedspot5.com^
||www.speedspot1.com^
||www.speedspot7.com^
||www.speedspot2.com^
||www.speedspot3.com^
||www.speedspot4.com^
||www.speedspot6.com^
#Kochava endpoints, from rugabunda https://beta.pithus.org/report/844aa271ef47f7807ab3ccc63952e2215298701a6851857c22456317927f08fd
||co.akisinn.info^
||co.dewrain.life^
||co.vaicore.site^
||co.vaicore.xyz^
||int.akisinn.info^
||int.akisinn.me^
||int.akisinn.site^
||int.dewrain.life^
||int.dewrain.site^
||int.dewrain.world^
||int.vaicore.site^
||int.vaicore.store^
||int.vaicore.xyz^
||int.vlancaa.site^
||int.vlancaa.fun^
||tok.vaicore.xyz^
||vaicore.xyz^
||web.ab-salute.com^
||smart.link^
# Adeco and inappertising - see https://www.occrp.org/en/investigations/how-a-russian-mobile-app-developer-recruited-phones-into-a-secret-ad-watching-robot-army
# Ultimate-Mortal-Kombat-3-v1-1.apk - https://www.virustotal.com/gui/file/dc078b004830ff03a27371bbc1c4a7b5882d5a0fb577a8477c09e8b3bfe0d6d3/details
||cfg.inappertising.org^
||stats.inappertising.org^
||app-stats.net2share.com^
||s.net2share.com^
||adeco.adecosystems.com^
||dd.adecosystems.com^
# GriftHorse Android from - https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/
||hotofecro.com^
||alaiblompass.com^
||heartratteandpulsetracker.com^
||icoonectedtrack.com^
||ospocatracker.com^
||laalaslirayeblection.com^
||iblompass.com^
||smalllcalllrecorder.com^
||anguaganslatast.com^
||oroscopemestry.com^
||blompascator.com^
||leunoon.com^
||arindocation.com^
||rooitor.com^
||mychattranslator.club^
||rulapptoplan.com^
||rportranslator.com^
||muslimasauda.com^
||martpolocator.com^
||wfupppx.com^
||scandocnotes.com^
||freecoupon21.com^
||ponyvideochat.com^
||ludamec.com^
||chat-transa.com^
||soulscanneryh.com^
||d3cameraplan.com^
||qibla-ultima.com^
||zoofanimalm.com^
||ciaolvc.com^
||heartrateproxhealthmonitor.com^
||bus-metrolis.com^
||truck-rouddrive.com^
||locatinfind.com^
||camerdentifier.com^
||locatorqiafindlocation.com^
||cocachar.com^
||squishyp.com^
||antranslaro.com^
||ftphotom.com^
||lockul.com^
||fingerprihanger.com^
||locatorshar.com^
||kfcwsa.com^
||gpsphonuetrackerfamilylocator.com^
||cailrecorder.com^
||tqiblacompas.com^
||kvprojectop.com^
||pikchoeditor.com^
||streetprocarsracingss.com^
||nemaeovies.com^
||aecodero.com^
||ivlewepapallrbkragonucd.com^
||heartrateandmealtracker.com^
||phonecontrolblockspamcalls.com^
||etcotater.com^
||canopoument.com^
||locxfindxlocx.com^
||mnesytrlatr.com^
||huntcontactz.com^
||intelgenttran.com^
||facenalyer.com^
||fnbdeiegpslocoiatntcrkaer.com^
||trcalluecodr.com^
||qrreaderpro.com^
||itranstxtvoicepht.com^
||qiberiblaon.com^
||iconylc.com^
||lsepeanitor.com^
||fxkwboard.com^
||dehcoveanager.com^
||tickeakhatsp.com^
||phoneboster.com^
||phonfinbyclap.com^
||aralaper.com^
||qibdirctiowa.com^
||islsrickers.com^
||feartranslator.com^
||vpnzfep.com^
||snaplens-pt.com^
||qiblassirection.com^
||easyvshow.com^
||qibla-quran.com^
||qrcodesscan.com^
||hoolives.com^
||burivingsim.com^
||coupongiftsnstashop.com^
||fingdefend.com^
||projectormp.com^
||forzahmobile.com^
||artateulseonitor.com^
||sslasmr.com^
||bagscaner.com^
||phonecallerscreen.com^
||datingappswmt.com^
||lifeel-scan.com^
||colorizerset.club^
||expresscreditcash.com^
||ccallerx.com^
||transatitonneap.com^
||lasouncherio.com^
||claptfindzmphone.com^
||mirrorscreencasttvv.com^
||ircleocatinder.com^
||mobleingsder.com^
||proocallerr.com^
||frecalwolwid.com^
||allelpcoonmber.com^
||faspulhearratmoni.com^
||fincconttact.com^
||uncherdroid.com^
||iveilembercker.com^
||lepamcker.com^
||lockaaocker.com^
||onarchbylap.com^
||secontranslatpr.com^
||tgscontakcs.com^
||lockaaocker.com^
||callwhozdine.com^
||perargero.com^
||mylocatorplus.club^
||comclap.club^
||callerids.club^
||instantspeechtranslation.club^
||photoeditorbest.club^
||piction.club^
||driveriders.club^
||skycoachgg.club^
||ffitnesstrainer.club^
||racerscardriver.club^
||fitnessdias.club^
||meetingonlinechat.club^
||fitnessgymup.club^
||editsbackground.club^
||cutcutpro.club^
||drivingexpiriencesimulator.club^
||clipbuddy.club^
||horoscopefortune.club^
||ludospeakeasy.club^
||fitnesspoint.club^
||wallvoluminousfourk.club^
||cvectorart.club^
||ludospeakv2.club^
||callrecordpro.club^
||carracer.club^
||slimesimulator.club^
||offroaderssurvive.club^
||lending-online.club^
||controlcenterios.club^
||callerids.club^
||carracer.club^
||streetracingg.club^
||checkheart.club^
||keyboardthemes.club^
||whatsmesticker.club^
||batterychargingeffect.club^
||luxoreditor.club^
||lionflix.club^
||amazingvideoeditor.club^
||zodiachand.club^
||zeusalmighty.club^
||pharaohsadventure.club^
||batterylivewallpaperhd.club^
||comqubla.club^
||safelock.club^
||heartrhythm.club^
||easybassbooster.club^
||comphotolab.club^
# GriftHorse Second-Stage Domain
||678ikmbtui.com^
# GriftHorse Third-Stage Domains
||safe-link.mobi^
||at.gogameportal.club^
||activate-your-account-now.com^
||continue-to-get-content-now.com^
||your-access-here.com^
||app.buenosocial.club^
||join.crazymob.co^
||vl.denrok.space^
||www.timpromos.com.br^
||campaignmanager.fun.moobig.com^
||get-your-access-now.com^
||v.mobzones.com^
||mt2-sdp4.mt-2.co^
||go.whatabookmark.com^
||lp.shoopadoo.com^
||es.mobiplus.me^
||af.to.123games.club^
||be.startdownload.mobi^
||za.startdownload.mobi^
||n.appspool.net^
||wap.trend-tech.net^
||fr.chillaxgames.mobi^
||tracking.hexilo.com^
# Suspected GriftHorse from pDNS 185.255.179.131 / 185.255.179.132 ->
||1g7kvrv.xyz^
||2fnoqifq.com^
||2g8cvdii.com^
||2oafxcbq.xyz^
||5rfvbnji9.com^
||7lc6jc.xyz^
||7nvdx0.xyz^
||8sghnct.xyz^
||berf4o.xyz^
||blfnf9y.com^
||brlyp4pg.com^
||chulahfi.xyz^
||cmvkvncsse.xyz^
||cophico.pw^
||cwkjravqsj.xyz^
||dhfvbsihjf.com^
||dsfhskln.com^
||eksndtpf.org^
||emraiyz.xyz^
||eok8wd5v.net^
||erbfzk.com^
||ersokbkj.com^
||fdfjhks.com^
||ffnbafc.xyz^
||hrvxkxq.xyz^
||il0baz.com^
||jduzuyd.com^
||jsdfbhsa.com^
||jydfoafcaf.xyz^
||kgr0aixa.xyz^
||krkmyvlmdg.xyz^
||lgdzbch.com^
||liahkhe.xyz^
||lljmbbk.com^
||lmbbnrhiuj.xyz^
||lwvurdsjk.org^
||lxghjoxzns.com^
||mnfbodivbv.com^
||mt5vsuf1.net^
||nfrmg1y.xyz^
||nwluoodzct.xyz^
||ocheyhv.xyz^
||okjojihgv.com^
||olimob.net^
||ortn13der.xyz^
||poiuwhejgr.com^
||pwtgnp.pw^
||qtwjhuj.com^
||rfjdhxbz.com^
||sjkfsdkg.com^
||trfvbnji7.com^
||urtyhfds.com^
||v9czaci.xyz^
||vortnomade.net^
||w9x7itu.xyz^
||www.mnfbodivbv.com^
||www.okjojihgv.com^
||y0vvbm.xyz^
||yq0z3d.xyz^
# additional suspected GriftHorse from pDNS - 2021-10-21
||down.tracksz.co^
||go.creativemobilemarketing.com^
||go.fastfinderworld.com^
||go.grandprizewinners.com^
||go.interlinkinternet.com^
||go.protectyoursearch.com^
||go.trackitalltheway.com^
||go.trackiteazy.com^
||go.watchwiser.com^
# TangleBot domains, research based on - https://www.cloudmark.com/en/blog/mobile/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19
||covid19-ca.link^
||hydro-ca.link^
||sock.godforgiveuss.live^
||sock.hhhhrkanandda.xyz^
||sock.nmnmnmfsamsfan.xyz^
||socktest.ankatras.xyz^
||vaccine-appointment.link^
# Donot / Origami Elephant / APT-C-35 IOCs from Amnesty - https://github.com/AmnestyTech/investigations/blob/master/2021-10-07_donot/domains.txt
||bulk.fun^
||apkv5.ppadaolnwod.xyz^
||apkv6.endurecif.top^
||getelements.xyz^
||fiddaz.club^
||lif0.top^
||fif0.top^
||chipp.pw^
||mimestyle.xyz^
||mangasiso.top^
||and.retardrattle.website^
||help.domainoutlet.site^
||whynotworkonit.top^
||spectronet.pw^
||full.naturalpercent.life^
||mimeversion.top^
||rythemsjoy.club^
||lowlight.xyz^
||inapturst.top^
||auth.forwardtoken.website^
||accounts.loginshare.info^
||seahome.top^
||imageview.xyz^
||flickry.xyz^
||apkv2.qwertykeypad.host^
||userauthen.pw^
||join.officeframe.work^
||zumba.tampotrust.agency^
||image.loadingmessage.info^
# AbstractEmu hosts from https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign
||jobs.illaewinstralinc.com^
||outline.abunddhighett.com^
||tags.illaryboucnc.com^
||cloud.nathompsstra.com^
||store.dianmpsoathom.com^
||fluency.ryboucoathom.com^
||csa.naaronegya.com^
||tips.ghetaldhighe.com^
||color.joarteauxelb.com^
# Cynos hosts from https://vms.drweb.com/virus/?i=24972842 - 46bc4c6c87fcb519a8f315c0010b949d682ac3abee62b33bd624b251a3521b19
||dns1.sdkbalance.com^
||dns2.sdkbalance.com^
||dns3.sdkbalance.com^
||sdk.sdkbalance.com^
||mg.sdkbalance.com^
# PhoneSpy hosts from https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/ and pDNS related
||acd.kcpro.ga^
||aki.kcpro.ga^
||arr.kcpro.tk^
||b.freespy1.ml^
||b.freespy1.tk^
||c.freespy1.ml^
||c.freespy1.tk^
||cef.kcpro.tk^
||cfs.kcpro.ga^
||d.freespy1.ml^
||d.freespy1.tk^
||dto.kcpro.ga^
||e.freespy1.ml^
||ejn.kcpro.ga^
||ern.kcpro.ga^
||f.freespy1.ml^
||f.freespy1.tk^
||freespy.cf^
||g.freespy1.ml^
||g.freespy1.tk^
||h.freespy1.ml^
||h.freespy1.tk^
||hxg.kcpro.ga^
||i.freespy1.ml^
||i.freespy1.tk^
||j.freespy1.ml^
||j.freespy1.tk^
||k.freespy1.ml^
||k.freespy1.tk^
||koreavopi.kro.kr^
||l.freespy1.ml^
||l.freespy1.tk^
||m.freespy1.ml^
||m.freespy1.tk^
||mda.kcpro.ga^
||mgo.kcpro.ga^
||n.freespy1.ml^
||n.freespy1.tk^
||o.freespy1.ml^
||o.freespy1.tk^
||oso.kcpro.ga^
||p.freespy1.ml^
||p.freespy1.tk^
||pql.kcpro.ga^
||wvv.kcpro.ga^
||ydc.kcpro.ga^
||zqn.kcpro.ga^
||zsx.kcpro.ga^
# https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/
||mobile.measurelib.com^
||measurelib.com^
||ami0wned.com^
||amiowned.com^
||arduous.work^
||attorney-client-privileged.com^
||attorney-client.org^
||attorneyclientprivileged.com^
||beachhackerspace.com^
||cloudwatchtower.com^
||consilio.lawyer^
||consiliolaw.com^
||darknetinfo.com^
||dataillusionist.com^
||easycalea.com^
||extremeexploits.com^
||extremeexploits.org^
||fraudpreventionsys.com^
||gleancorp.com^
||idme.org^
||indelibleblue.net^
||indelibleblueinc.net^
||internetcartography.com^
||internetcartography.net^
||internetcartography.org^
||littoralventures.com^
||marketinfo.tips^
||measurementsys.com^
||mxout.net^
||myaddress.today^
||ndagri.com^
||networkcartography.com^
||networkcartography.net^
||networkcartography.org^
||newdulcina.com^
||opensourcecontext.com^
||oppleman.org^
||oscontext.com^
||pathanalyzer.com^
||pathanalyzerpro.com^
||precise.fit^
||pwhois.net^
||pwhois.org^
||quietquell.com^
||trustcor.co^
||vbchs.com^
||vbchs.org^
||vbhacker.space^
||vbhackerspace.com^
||vbhackerspace.org^
||vostrom.ventures^
||whoisanalyzer.com^
||whoisanalyzerpro.com^
||mobile.fra2.measurelib.com^
||mobile.ams2.measurelib.com^
# Telematicsdirect - from al-moazin-lite-prayer-times.apk - dcb56dc7b817dd65a1f5ebfe81cf36b85ad523990b8e4f69a4a1654d1cc8277c
||nav.telematicsdirect.com^
# SafeGraph / OpenLocate
# https://github.com/pablobaxter/openlocate-android
# https://www.vice.com/en/article/m7vymn/cdc-tracked-phones-location-data-curfews
||api.safegraph.com^
# daily-scratchers.apk / 22a80df1084af11129baef89bce0bafad0aaae41e58dc2bb6e7c27fd3f4bac49 / me.actv8.tvwallet
||actv8technologies.com^
||api-production-v4.actv8technologies.com^
||sonar.actv8technologies.com^
# Joker - RelaxingMusicSootheYourBody_signed.apk - 14c35d1158cc47cfb605fdd686603b0929d38c046dce03fd6033fb8a31433798
||novasdk.oss-cn-beijing.aliyuncs.com^
# Joker - https://github.com/DoctorWebLtd/malware-iocs/tree/master/Android.Joker
# Note: domain offline since Feb 2022
||ad.mobnv.com^
# pDNS for 161.117.252.102
||app.mobnv.com^
||aff.fortunnecat.com^
# WhatsApp mod distributed through legitimate apps:
# https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/?utm_source=everyonesocial&utm_medium=partner&utm_campaign=us_NA-newsletter_en0177&utm_content=sm-post&utm_term=us_everyonesocial_organic_an17748oyfteksz&es_id=cfde1a3994
||wa.zcnewy.com^
||av2wg.rt14v.com^
||g1790.rt14v.com^
# xnspy - 578a880848bc52bed83b2be817a148187fde129cc8ad50db49630c0ebf59102c - xnspyappv2.apk
# https://techcrunch.com/2022/12/12/xnspy-stalkerware-iphone-android/
||alert.xiz4me.com^
||asset.xiz4me.com^
||sync.xiz4me.com^
||xiz4me.com^
||mydwnd.com^
||brilliant-flame-585.firebaseio.com^
||brilliant-flame-585.appspot.com^
# xnspy - 7e3930771370ed111cdb83397a04fa7ee89f1ea35b7f5306bb1522b82bc6d38d
||sync.bk128.com^
||alert.bk128.com^
||asset.bk128.com^
||bk128.com^
# xnspy - 9114e561c42ea19b183ef5d8a36e743f2b873874e43d805b11e3753035c7900d
||true-truck-86810.firebaseio.com^
||true-truck-86810.appspot.com^
# Fleckpe - from https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/
||ac.iprocam.xyz^
||ad.iprocam.xyz^
||ap.iprocam.xyz^
||b7.photoeffect.xyz^
||ba3.photoeffect.xyz^
||f0.photoeffect.xyz^
||m11.slimedit.live^
||m12.slimedit.live^
||m13.slimedit.live^
||ba.beautycam.xyz^
||f6.beautycam.xyz^
||f8a.beautycam.xyz^
||ae.mveditor.xyz^
||b8c.mveditor.xyz^
||d3.mveditor.xyz^
||fa.gifcam.xyz^
||fb.gifcam.xyz^
||fl.gifcam.xyz^
||a.hdmodecam.live^
||b.hdmodecam.live^
||l.hdmodecam.live^
||vd.toobox.online^
||ve.toobox.online^
||vt.toobox.online^
||t1.twmills.xyz^
||t2.twmills.xyz^
||t3.twmills.xyz^
||api.odskguo.xyz^
||gbcf.odskguo.xyz^
||track.odskguo.xyz^
#AhRat - see https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/
||order.80876dd5.shop^
#AhRat - b2c1517e4b0e0b3286a5cde06310b2277da7333f5ab3c2828f08272e3f85b260 - iRecorder - Screen Recorder_2.0_apkcombo.com.apk
||config.unityads.unity3d.com^
||config.unityads.unitychina.cn^
||init.supersonicads.com^
||logs.supersonic.com^
||outcome-ssp.supersonicads.com^
||supersonicads.com^
# uBlock telemetry endpoint - adblock-stats.js inside a01ff7dac823f3666e7f38527739802e5a7ce3cb539b6a390ca99d423b5c9779
# data sent even if telemetry is disabled
||ublocker-chrome.com^
# Cytrox Predator domains, see - https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/
||almal-news.com^
||chat-support.support^
||cibeg.online^
||notifications-sec.com^
||wa-info.com^
||whatssapp.co^
||wts-app.info^
||sec-flare.com^
||verifyurl.me^
||c.betly.me^
||betly.me^
||web.whatssapp.co^
||whatspp.wa-info.com^
||notifications.wa-info.com^
||t-bit.me^
# PEACHPIT and BADBOX, extended infrastructure (expansion by @craiu), see - https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf
||adbsc.flyermobi.com^
||adbsc.ikmytech.com^
||adbsdk.flyermobi.com^
||admin.dofunapps.com^
||ads.dofunapps.com^
||ads.flyermobi.com^
||apkcar.com^
||ats.flyermobi.com^
||ats.ikmytech.com^
||cbphe.com^
||cbpheback.com^
||dcylog.com^
||flyermobi.com^
||n1.flyermobi.com^
||sdk.dofunapps.com^
||www.apkcar.com^
||www.flyermobi.com^
||ycxrl.com^
||ymex.apkcar.com^
||ymlog.apkcar.com^
||ymsdk.apkcar.com^
# Unityads from https://github.com/Unity-Technologies/unity-ads-ios
||scar.unityads.unity3d.com^
||webviewbridge.unityads.unity3d.com^
||unityads.unity3d.com^
||gateway.unityads.unity3d.com^
Reference in New Issue View Git Blame Copy Permalink