# Various telemetry endpoints (hosts and domains) used by mobile location tracking libraries
# Contact: mobiletrackers [at] protonmail.ch
#
# Version 1.44 - 2023-10-05
#
# xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
0.0.0.0 bin5y4muil.execute-api.us-east-1.amazonaws.com
# unknown, possibly xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
0.0.0.0 8balwalz1i.execute-api.us-east-2.amazonaws.com
# unknowns - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
0.0.0.0 api.smartechmetrics.com
0.0.0.0 ck-running-apps-700f1.firebaseio.com
0.0.0.0 pie.wirelessregistry.com
# unknowns - 010f7bb33f35cc650b7d6104b07102eb0dbaf79bcec1f1c6255fdcaffefe6b68 - com.davidsukhin.com.sukhin.snowdaycalculator.SnowDay
# URLs below stored as base64 and encrypted xor 0x09 ->
0.0.0.0 udata.elephantdata.net
0.0.0.0 atb.bearclod.com
#pDNS data for the IPs associated with atb.bearclod.com ->
0.0.0.0 alb.bearclod.com
0.0.0.0 aly.bearclod.com
0.0.0.0 alz.bearclod.com
0.0.0.0 bivitis.bearclod.com
0.0.0.0 brt.bearclod.com
0.0.0.0 brul.bearclod.com
0.0.0.0 hfstat.bearclod.com
0.0.0.0 hkn01.bearclod.com
0.0.0.0 ply.bearclod.com
0.0.0.0 zoo.bearclod.com
# crashlytics - 4711634730d5367756bba4d776d846b01b8d0373336ea877a2c20b1da0a95477 - com.sgiggle.production_5.2.229629_1538560344.apk
0.0.0.0 settings.crashlytics.com
0.0.0.0 e.crashlytics.com
# starbolt - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
0.0.0.0 sdk.starbolt.io
0.0.0.0 dmp.starbolt.io
0.0.0.0 devices.starbolt.io
# sense360 ? - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
0.0.0.0 android-quinoa-config-prod.sense360eng.com
0.0.0.0 survey-notify-event.sense360eng.com
0.0.0.0 quinoa-personal-identify-prod.sense360eng.com
# appmeasurement - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
0.0.0.0 app-measurement.com
# newrelic - 2d4c9c037db43704f52968c9c363cbdf382cbb6a4b9143825f6e8b523b7c0c01 - com.crowdcompass.appmQaIam3e7C.apk
0.0.0.0 mobile-collector.newrelic.com
0.0.0.0 mobile-crash.newrelic.com
# Xiao mi related telemetry endpoints - see https://twitter.com/hookgab/status/1255859289945780225
0.0.0.0 data.mistat.india.xiaomi.com
0.0.0.0 data.mistat.intl.xiaomi.com
0.0.0.0 data.mistat.rus.xiaomi.com
0.0.0.0 tracking.rus.miui.com
0.0.0.0 tracking.intl.miui.com
0.0.0.0 tracking.india.miui.com
# from https://twitter.com/cybergibbons/status/1256703550954057729
0.0.0.0 sa.api.intl.miui.com
0.0.0.0 sa.api.india.miui.com
0.0.0.0 sa.api.rus.miui.com
# new xmodesocial - from https://mobile.twitter.com/guardianiosapp/status/1262545645941874689
0.0.0.0 api.myendpoint.io
# aggressive advertisers - https://securelist.com/in-app-advertising-in-android/97065/
# 1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd
# 134283b8efedc3d7244ba1b3a52e4a92  – com.xprodev.cutcam
# 3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner
0.0.0.0 ti.domainforlite.com
0.0.0.0 uu.domainforlite.com
# pDNS resolutions for uu.domainforlite.com, hosting on 47.252.80.195
0.0.0.0 adserver.hahamobi.com
0.0.0.0 analytics.hahamobi.com
0.0.0.0 analytics.salmonads.com
0.0.0.0 api.salmonads.com
0.0.0.0 dat.funheroic.com
0.0.0.0 lg.luckyforworlds.com
0.0.0.0 lg.requestads.com
0.0.0.0 lg.smardroid.com
0.0.0.0 log.adywind.com
0.0.0.0 log.mobpowertech.com
0.0.0.0 net.hahamobi.com
0.0.0.0 net.salmonads.com
0.0.0.0 us01.salmonads.com
# mobile ads, 2020-07-07, additions from https://securelist.com/pig-in-a-poke-smartphone-adware/97607/
0.0.0.0 www.ywupscsff.com
0.0.0.0 www.mzeibiyr.com
0.0.0.0 i151125.infourl.net
0.0.0.0 www.jueoxdr.com
0.0.0.0 ufz.doesxyz.com
0.0.0.0 htapi.getapiv8.com
0.0.0.0 stable.icecyber.org
0.0.0.0 404mobi.com
0.0.0.0 51ginkgo.com
0.0.0.0 lbjg7.com
0.0.0.0 bigdata800.com
0.0.0.0 apd1.warnlog.com
0.0.0.0 apd1.thunup.com
# mintegral, 2020-08-30, described at: https://snyk.io/research/sour-mint-malicious-sdk/
0.0.0.0 n.systemlog.me
0.0.0.0 setting.rayjump.com
0.0.0.0 analytics.rayjump.com
# from pDNS on n.systemlog.me ->
0.0.0.0 net.cleverjp.com
# from fake NEXTALIVE (moonfair) application - https://www.zdnet.com/article/google-removes-android-app-that-was-used-to-spy-on-belarusian-protesters/
0.0.0.0 arcpi.nextialive.roimaster.site
0.0.0.0 api.nextialive.roimaster.site
0.0.0.0 ws.nextialive.roimaster.site
0.0.0.0 nextialive.roimaster.site
0.0.0.0 api.dev.chat.roimaster.site
0.0.0.0 dev.chat.roimaster.site
# Joker download URLs / hosts as described by ZScaler - https://www.zscaler.com/blogs/security-research/joker-playing-hide-and-seek-google-play
0.0.0.0 2j1i9uqw.oss-eu-central-1.aliyuncs.com
0.0.0.0 blackdragon03.oss-ap-southeast-5.aliyuncs.com
0.0.0.0 blackdragon.oss-ap-southeast-5.aliyuncs.com
0.0.0.0 fgcxweasqw.oss-eu-central-1.aliyuncs.com
0.0.0.0 jk8681oy.oss-eu-central-1.aliyuncs.com
0.0.0.0 laodaoo.oss-ap-southeast-5.aliyuncs.com
0.0.0.0 n47n.oss-ap-southeast-5.aliyuncs.com
0.0.0.0 nineth03.oss-ap-southeast-5.aliyuncs.com
0.0.0.0 proxy48.oss-eu-central-1.aliyuncs.com
0.0.0.0 rinimae.oss-ap-southeast-5.aliyuncs.com
0.0.0.0 sahar.oss-us-east-1.aliyuncs.com
# Cerberus C2s as described by BitDefender - https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/
0.0.0.0 2fapass.club
0.0.0.0 androidradio.life
0.0.0.0 downdating.club
0.0.0.0 fitnessstrategy.xyz
0.0.0.0 groovefitness.xyz
0.0.0.0 loversfinder.xyz
0.0.0.0 positivefitness.club
0.0.0.0 safeyourdata.xyz
0.0.0.0 sport4ever.club
0.0.0.0 vipyoga.today
0.0.0.0 weatherclub.club
0.0.0.0 yoga4u.xyz
# unknown (?) telemetry receiving endpoints from:
# 066de93f181e9cbcb8611c675bbcb0fc - com.speedcamera.detector.radar.detector.direction
0.0.0.0 yqchpwxvbg.execute-api.us-east-1.amazonaws.com
0.0.0.0 pn8sm7rjuc.execute-api.us-east-1.amazonaws.com
# venntel / gravy analytics from https://github.com/sociam/PROWISH/blob/master/data/200appsdynamic.csv
# venntel / gravy analytics from https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf
# gravy analytics docs - http://developers.findgravy.com/products/gold-api/docs/index2.html
0.0.0.0 api.findgravy.com
0.0.0.0 nwzhmwux-api.findgravy.com
0.0.0.0 zmq5ytc1-api.findgravy.com
0.0.0.0 mtm1nwmx-api.findgravy.com
0.0.0.0 gravyanalytics.com
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
0.0.0.0 ws.findgravy.com
0.0.0.0 api.foozor.com
0.0.0.0 testapi.foozor.com
# potentially related hosts on top of findgravy.com
0.0.0.0 img01.findgravy.com
0.0.0.0 img02.findgravy.com
0.0.0.0 img03.findgravy.com
0.0.0.0 img04.findgravy.com
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
0.0.0.0 pushapi.localytics.com
0.0.0.0 analytics.localytics.com
0.0.0.0 profile.localytics.com
# cuebiq location sdk from ->
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
0.0.0.0 in.cuebiq.com
0.0.0.0 ingestion-api.kiwi.sand.cuebiq.ai
# nodle.io sdk from ->
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
0.0.0.0 dev.nodle.io
0.0.0.0 us-central1-production-242307.cloudfunctions.net
# unknown sdk from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass possibly xmode related
# more crashlytics hosts from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
0.0.0.0 firebase-settings.crashlytics.com
0.0.0.0 update.crashlytics.com
0.0.0.0 reports.crashlytics.com
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass ->
0.0.0.0 pixelprose.fr
# appsflyer from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
0.0.0.0 onelink.me
0.0.0.0 onelnk.com
0.0.0.0 app.aflink.com
0.0.0.0 t.appsflyer.com
# other various telemetry endpoints (not necessarily location related) from from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
0.0.0.0 api.mixpanel.com
0.0.0.0 decide.mixpanel.com
0.0.0.0 cdn.optimizely.com
0.0.0.0 logx.optimizely.com
0.0.0.0 outline.truecaller.com
0.0.0.0 api4.truecaller.com
0.0.0.0 c.webengage.com
0.0.0.0 p.webengage.com
0.0.0.0 api.branch.io
0.0.0.0 bnc.lt
0.0.0.0 cdn.branch.io
0.0.0.0 js.intercomcdn.com
0.0.0.0 mobile-sdk-api.intercom.io
# Clevertap's wzrkt.com - also see https://twitter.com/fs0c131y/status/977267255309463554
0.0.0.0 wzrkt.com
0.0.0.0 in.wzrkt.com
# subdomains from wzrkt.com - https://subdomainfinder.c99.nl/scans/2020-04-19/wzrkt.com
0.0.0.0 api.wzrkt.com
0.0.0.0 cb.wzrkt.com
0.0.0.0 eu1-spiky.wzrkt.com
0.0.0.0 eu1.alb.wzrkt.com
0.0.0.0 eu1.wzrkt.com
0.0.0.0 in.cb.wzrkt.com
0.0.0.0 in1-spiky.wzrkt.com
0.0.0.0 in1.alb.wzrkt.com
0.0.0.0 in1.wzrkt.com
0.0.0.0 sg1-spiky.wzrkt.com
0.0.0.0 sg1.cb.wzrkt.com
0.0.0.0 sg1.wzrkt.com
0.0.0.0 sk1-spiky.wzrkt.com
0.0.0.0 sk1-staging-1.wzrkt.com
0.0.0.0 sk1-staging-10.wzrkt.com
0.0.0.0 sk1-staging-2.wzrkt.com
0.0.0.0 sk1-staging-3.wzrkt.com
0.0.0.0 sk1-staging-4.wzrkt.com
0.0.0.0 sk1-staging-5.wzrkt.com
0.0.0.0 sk1-staging-6.wzrkt.com
0.0.0.0 sk1-staging-7.wzrkt.com
0.0.0.0 sk1-staging-8.wzrkt.com
0.0.0.0 sk1-staging-9.wzrkt.com
0.0.0.0 sk1.wzrkt.com
0.0.0.0 us1-spiky.wzrkt.com
0.0.0.0 us1.cb.wzrkt.com
0.0.0.0 us1.wzrkt.com
# from cb9f6bb72a9766ba8c805c25769b47c46751052706bb41ed333db0b42cd586ff - 	com.byjus.thelearningapp
# also see https://digitalwatchdog.org/wp-content/uploads/2020/09/IDAC-Ed-Tech-Report_AppendixB_SensitiveData.pdf
0.0.0.0 api.tllms.com
0.0.0.0 marketing.tllms.com
# from 09f5bcadde3351eb3f509f5a471cbd7bb00536292da560bcf8ee59eb73116f00 - luo.speedometergps
# teragence ->
0.0.0.0 control.teragence.net
0.0.0.0 pfsense02-01.is-61194.teragence.net
# tutela ->
0.0.0.0 upload-tutelawest.s3-accelerate.amazonaws.com
0.0.0.0 reporting-util.tutelatechnologies.com
0.0.0.0 hail-reporting.tutelatechnologies.com
0.0.0.0 thepopulator.tutelatechnologies.com
# huq (also from 9c53a29a7e6a871f57b20097185a09afd2ff818455a42792d502f1eb8f2e3679) ->
0.0.0.0 api.huqindustries.co.uk
0.0.0.0 report.huqindustries.co.uk
0.0.0.0 charles.huqindustries.co.uk
# IOCs from https://www.whiteops.com/blog/somewhere-over-the-rainbowmix
0.0.0.0 api.pythonexample.com
# Predicio - from Funny Weather - pl.lawiusz.funnyweather.release.apk - 6d23151e69a57f67111d4969594316576577ae8a2015aff336ab6ef0fb2a07b4
# see https://www.vice.com/en/article/epdpdm/ice-dhs-fbi-location-data-venntel-apps
0.0.0.0 sdk.predic.io
# Kinesis endpoint from Funny Weather:
0.0.0.0 kinesis.ap-southeast-1.amazonaws.com
# Complementics endpoints from 4ba50272718c95af20940912c7968410d797fbc07dcce2bad8183b94887b0ab4
0.0.0.0 sdk-as.complementics.com
0.0.0.0 static.complementics.com
# Goontact from https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail
0.0.0.0 redvios.com
0.0.0.0 v-talk.top
0.0.0.0 v-talk.vip
0.0.0.0 ladysizi.top
0.0.0.0 mmbox.top
0.0.0.0 oncamera.top
0.0.0.0 oncast.top
0.0.0.0 mimibox.top
0.0.0.0 voicecontrol.top
0.0.0.0 signaltalk.top
0.0.0.0 oncamera.vip
0.0.0.0 dalbam.vip
0.0.0.0 mimimsg.net
0.0.0.0 signal-live.vip
0.0.0.0 tele-gram.vip
0.0.0.0 vtalk.vip
0.0.0.0 a-video.vip
0.0.0.0 livetalk.vip
0.0.0.0 livetalk.top
0.0.0.0 download-file.top
0.0.0.0 grd77.cn
0.0.0.0 mimicwt.net
0.0.0.0 super-voice.vip
0.0.0.0 mimi18s.top
0.0.0.0 momomsg.top
0.0.0.0 live-live.vip
0.0.0.0 zerobyte.top
0.0.0.0 zerobt.net
0.0.0.0 w-video.vip
0.0.0.0 ser-chat.com
0.0.0.0 tocast.vip
0.0.0.0 videosound.vip
0.0.0.0 twi-tter.vip
0.0.0.0 my-player.vip
0.0.0.0 voicesupport.vip
# Joker from https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/
0.0.0.0 gd-1301476296.cos.na-toronto.myqcloud.com
# Related to: https://github.com/greatsuspender/thegreatsuspender/issues/1175
# and: https://www.theregister.com/2021/01/07/great_suspender_malware/
0.0.0.0 cdn.owebanalytics.com
0.0.0.0 static.trckingbyte.com
0.0.0.0 static.trckpath.com
0.0.0.0 static.privacytrck.com
0.0.0.0 rctphvxwnjhx.pw
0.0.0.0 hanstrackr.com
# Postlo spyware - https://twitter.com/ESETresearch/status/1374889857403785218?s=20
0.0.0.0 api.mainrepo.org
# EvilEye malware C2s mentioned at https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/
0.0.0.0 anayurt.net
0.0.0.0 apkprue.info
0.0.0.0 geo2ipapi.org
0.0.0.0 gotossl.ml
0.0.0.0 icptime.com
0.0.0.0 istiqlaihaber.com
0.0.0.0 misran.org
0.0.0.0 newyorkingsite.com
0.0.0.0 playgoog1e.com
0.0.0.0 preservtyg.com
0.0.0.0 sslportservices.com
0.0.0.0 strunhvgpk.com
0.0.0.0 uhtpuerdfbnm.com
0.0.0.0 uyghur-news.com
0.0.0.0 uyghur-soft-market.com
0.0.0.0 uyghurhaber.com
0.0.0.0 www.apkhl.pw
0.0.0.0 apkhl.pw
0.0.0.0 www.apkpure.bz
0.0.0.0 apkpure.bz
# Xcodespy - https://labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/
0.0.0.0 www.liveupdate.cc
0.0.0.0 www.appmarket.co
0.0.0.0 www.recentnews.cc
0.0.0.0 www.truckrental.cc
0.0.0.0 www.everestnote.com
0.0.0.0 www.alinbox.co
0.0.0.0 www.suppro.co
# APKPure compromise by Triada malware - https://securelist.com/apkpure-android-app-store-infected/101845/
0.0.0.0 wcf.seven1029.com
0.0.0.0 foodin.site
# Triada from https://securelist.com/triada-trojan-in-whatsapp-mod/103679/
# Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de
0.0.0.0 t1k22.c8xwor.com
0.0.0.0 dgmxn.c8xwor.com
# Tutela technologies - f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc - org.speedspot.speedanalytics
0.0.0.0 reporting.tutelatechnologies.com
0.0.0.0 video-url.tutelatechnologies.com
0.0.0.0 d3clybje3sun07.cloudfront.net
# speedspot - reports GPS location, other data - SpeedtestResultViews.java - inside f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc
0.0.0.0 api.speedspot.org
0.0.0.0 www.speedcheck.org
0.0.0.0 net.etrality.com
0.0.0.0 a2.etrality.com
0.0.0.0 a1.etrality.com
0.0.0.0 c4.etrality.com
0.0.0.0 b3.etrality.com
0.0.0.0 c3.etrality.com
0.0.0.0 b2.etrality.com
0.0.0.0 c2.etrality.com
0.0.0.0 b1.etrality.com
0.0.0.0 c1.etrality.com
0.0.0.0 wpc.a3cd.edgecastcdn.net
0.0.0.0 speedspot.speedspot.netdna-cdn.com
0.0.0.0 www.speedspot5.com
0.0.0.0 www.speedspot1.com
0.0.0.0 www.speedspot7.com
0.0.0.0 www.speedspot2.com
0.0.0.0 www.speedspot3.com
0.0.0.0 www.speedspot4.com
0.0.0.0 www.speedspot6.com
#Kochava endpoints, from rugabunda https://beta.pithus.org/report/844aa271ef47f7807ab3ccc63952e2215298701a6851857c22456317927f08fd
0.0.0.0 co.akisinn.info
0.0.0.0 co.dewrain.life
0.0.0.0 co.vaicore.site
0.0.0.0 co.vaicore.xyz
0.0.0.0 int.akisinn.info
0.0.0.0 int.akisinn.me
0.0.0.0 int.akisinn.site
0.0.0.0 int.dewrain.life
0.0.0.0 int.dewrain.site
0.0.0.0 int.dewrain.world
0.0.0.0 int.vaicore.site
0.0.0.0 int.vaicore.store
0.0.0.0 int.vaicore.xyz
0.0.0.0 int.vlancaa.site
0.0.0.0 int.vlancaa.fun
0.0.0.0 tok.vaicore.xyz
0.0.0.0 vaicore.xyz
0.0.0.0 web.ab-salute.com
0.0.0.0 smart.link
# Adeco and inappertising - see https://www.occrp.org/en/investigations/how-a-russian-mobile-app-developer-recruited-phones-into-a-secret-ad-watching-robot-army
# Ultimate-Mortal-Kombat-3-v1-1.apk - https://www.virustotal.com/gui/file/dc078b004830ff03a27371bbc1c4a7b5882d5a0fb577a8477c09e8b3bfe0d6d3/details
0.0.0.0 cfg.inappertising.org
0.0.0.0 stats.inappertising.org
0.0.0.0 app-stats.net2share.com
0.0.0.0 s.net2share.com
0.0.0.0 adeco.adecosystems.com
0.0.0.0 dd.adecosystems.com
# GriftHorse Android from - https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/
0.0.0.0 hotofecro.com
0.0.0.0 alaiblompass.com
0.0.0.0 heartratteandpulsetracker.com
0.0.0.0 icoonectedtrack.com
0.0.0.0 ospocatracker.com
0.0.0.0 laalaslirayeblection.com
0.0.0.0 iblompass.com
0.0.0.0 smalllcalllrecorder.com
0.0.0.0 anguaganslatast.com
0.0.0.0 oroscopemestry.com
0.0.0.0 blompascator.com
0.0.0.0 leunoon.com
0.0.0.0 arindocation.com
0.0.0.0 rooitor.com
0.0.0.0 mychattranslator.club
0.0.0.0 rulapptoplan.com
0.0.0.0 rportranslator.com
0.0.0.0 muslimasauda.com
0.0.0.0 martpolocator.com
0.0.0.0 wfupppx.com
0.0.0.0 scandocnotes.com
0.0.0.0 freecoupon21.com
0.0.0.0 ponyvideochat.com
0.0.0.0 ludamec.com
0.0.0.0 chat-transa.com
0.0.0.0 soulscanneryh.com
0.0.0.0 d3cameraplan.com
0.0.0.0 qibla-ultima.com
0.0.0.0 zoofanimalm.com
0.0.0.0 ciaolvc.com
0.0.0.0 heartrateproxhealthmonitor.com
0.0.0.0 bus-metrolis.com
0.0.0.0 truck-rouddrive.com
0.0.0.0 locatinfind.com
0.0.0.0 camerdentifier.com
0.0.0.0 locatorqiafindlocation.com
0.0.0.0 cocachar.com
0.0.0.0 squishyp.com
0.0.0.0 antranslaro.com
0.0.0.0 ftphotom.com
0.0.0.0 lockul.com
0.0.0.0 fingerprihanger.com
0.0.0.0 locatorshar.com
0.0.0.0 kfcwsa.com
0.0.0.0 gpsphonuetrackerfamilylocator.com
0.0.0.0 cailrecorder.com
0.0.0.0 tqiblacompas.com
0.0.0.0 kvprojectop.com
0.0.0.0 pikchoeditor.com
0.0.0.0 streetprocarsracingss.com
0.0.0.0 nemaeovies.com
0.0.0.0 aecodero.com
0.0.0.0 ivlewepapallrbkragonucd.com
0.0.0.0 heartrateandmealtracker.com
0.0.0.0 phonecontrolblockspamcalls.com
0.0.0.0 etcotater.com
0.0.0.0 canopoument.com
0.0.0.0 locxfindxlocx.com
0.0.0.0 mnesytrlatr.com
0.0.0.0 huntcontactz.com
0.0.0.0 intelgenttran.com
0.0.0.0 facenalyer.com
0.0.0.0 fnbdeiegpslocoiatntcrkaer.com
0.0.0.0 trcalluecodr.com
0.0.0.0 qrreaderpro.com
0.0.0.0 itranstxtvoicepht.com
0.0.0.0 qiberiblaon.com
0.0.0.0 iconylc.com
0.0.0.0 lsepeanitor.com
0.0.0.0 fxkwboard.com
0.0.0.0 dehcoveanager.com
0.0.0.0 tickeakhatsp.com
0.0.0.0 phoneboster.com
0.0.0.0 phonfinbyclap.com
0.0.0.0 aralaper.com
0.0.0.0 qibdirctiowa.com
0.0.0.0 islsrickers.com
0.0.0.0 feartranslator.com
0.0.0.0 vpnzfep.com
0.0.0.0 snaplens-pt.com
0.0.0.0 qiblassirection.com
0.0.0.0 easyvshow.com
0.0.0.0 qibla-quran.com
0.0.0.0 qrcodesscan.com
0.0.0.0 hoolives.com
0.0.0.0 burivingsim.com
0.0.0.0 coupongiftsnstashop.com
0.0.0.0 fingdefend.com
0.0.0.0 projectormp.com
0.0.0.0 forzahmobile.com
0.0.0.0 artateulseonitor.com
0.0.0.0 sslasmr.com
0.0.0.0 bagscaner.com
0.0.0.0 phonecallerscreen.com
0.0.0.0 datingappswmt.com
0.0.0.0 lifeel-scan.com
0.0.0.0 colorizerset.club
0.0.0.0 expresscreditcash.com
0.0.0.0 ccallerx.com
0.0.0.0 transatitonneap.com
0.0.0.0 lasouncherio.com
0.0.0.0 claptfindzmphone.com
0.0.0.0 mirrorscreencasttvv.com
0.0.0.0 ircleocatinder.com
0.0.0.0 mobleingsder.com
0.0.0.0 proocallerr.com
0.0.0.0 frecalwolwid.com
0.0.0.0 allelpcoonmber.com
0.0.0.0 faspulhearratmoni.com
0.0.0.0 fincconttact.com
0.0.0.0 uncherdroid.com
0.0.0.0 iveilembercker.com
0.0.0.0 lepamcker.com
0.0.0.0 lockaaocker.com
0.0.0.0 onarchbylap.com
0.0.0.0 secontranslatpr.com
0.0.0.0 tgscontakcs.com
0.0.0.0 callwhozdine.com
0.0.0.0 perargero.com
0.0.0.0 mylocatorplus.club
0.0.0.0 comclap.club
0.0.0.0 callerids.club
0.0.0.0 instantspeechtranslation.club
0.0.0.0 photoeditorbest.club
0.0.0.0 piction.club
0.0.0.0 driveriders.club
0.0.0.0 skycoachgg.club
0.0.0.0 ffitnesstrainer.club
0.0.0.0 racerscardriver.club
0.0.0.0 fitnessdias.club
0.0.0.0 meetingonlinechat.club
0.0.0.0 fitnessgymup.club
0.0.0.0 editsbackground.club
0.0.0.0 cutcutpro.club
0.0.0.0 drivingexpiriencesimulator.club
0.0.0.0 clipbuddy.club
0.0.0.0 horoscopefortune.club
0.0.0.0 ludospeakeasy.club
0.0.0.0 fitnesspoint.club
0.0.0.0 wallvoluminousfourk.club
0.0.0.0 cvectorart.club
0.0.0.0 ludospeakv2.club
0.0.0.0 callrecordpro.club
0.0.0.0 carracer.club
0.0.0.0 slimesimulator.club
0.0.0.0 offroaderssurvive.club
0.0.0.0 lending-online.club
0.0.0.0 controlcenterios.club
0.0.0.0 streetracingg.club
0.0.0.0 checkheart.club
0.0.0.0 keyboardthemes.club
0.0.0.0 whatsmesticker.club
0.0.0.0 batterychargingeffect.club
0.0.0.0 luxoreditor.club
0.0.0.0 lionflix.club
0.0.0.0 amazingvideoeditor.club
0.0.0.0 zodiachand.club
0.0.0.0 zeusalmighty.club
0.0.0.0 pharaohsadventure.club
0.0.0.0 batterylivewallpaperhd.club
0.0.0.0 comqubla.club
0.0.0.0 safelock.club
0.0.0.0 heartrhythm.club
0.0.0.0 easybassbooster.club
0.0.0.0 comphotolab.club
# GriftHorse Second-Stage Domain
0.0.0.0 678ikmbtui.com
# GriftHorse Third-Stage Domains
0.0.0.0 safe-link.mobi
0.0.0.0 at.gogameportal.club
0.0.0.0 activate-your-account-now.com
0.0.0.0 continue-to-get-content-now.com
0.0.0.0 your-access-here.com
0.0.0.0 app.buenosocial.club
0.0.0.0 join.crazymob.co
0.0.0.0 vl.denrok.space
0.0.0.0 www.timpromos.com.br
0.0.0.0 campaignmanager.fun.moobig.com
0.0.0.0 get-your-access-now.com
0.0.0.0 v.mobzones.com
0.0.0.0 mt2-sdp4.mt-2.co
0.0.0.0 go.whatabookmark.com
0.0.0.0 lp.shoopadoo.com
0.0.0.0 es.mobiplus.me
0.0.0.0 af.to.123games.club
0.0.0.0 be.startdownload.mobi
0.0.0.0 za.startdownload.mobi
0.0.0.0 n.appspool.net
0.0.0.0 wap.trend-tech.net
0.0.0.0 fr.chillaxgames.mobi
0.0.0.0 tracking.hexilo.com
# Suspected GriftHorse from pDNS 	185.255.179.131 / 185.255.179.132 ->
0.0.0.0 1g7kvrv.xyz
0.0.0.0 2fnoqifq.com
0.0.0.0 2g8cvdii.com
0.0.0.0 2oafxcbq.xyz
0.0.0.0 5rfvbnji9.com
0.0.0.0 7lc6jc.xyz
0.0.0.0 7nvdx0.xyz
0.0.0.0 8sghnct.xyz
0.0.0.0 berf4o.xyz
0.0.0.0 blfnf9y.com
0.0.0.0 brlyp4pg.com
0.0.0.0 chulahfi.xyz
0.0.0.0 cmvkvncsse.xyz
0.0.0.0 cophico.pw
0.0.0.0 cwkjravqsj.xyz
0.0.0.0 dhfvbsihjf.com
0.0.0.0 dsfhskln.com
0.0.0.0 eksndtpf.org
0.0.0.0 emraiyz.xyz
0.0.0.0 eok8wd5v.net
0.0.0.0 erbfzk.com
0.0.0.0 ersokbkj.com
0.0.0.0 fdfjhks.com
0.0.0.0 ffnbafc.xyz
0.0.0.0 hrvxkxq.xyz
0.0.0.0 il0baz.com
0.0.0.0 jduzuyd.com
0.0.0.0 jsdfbhsa.com
0.0.0.0 jydfoafcaf.xyz
0.0.0.0 kgr0aixa.xyz
0.0.0.0 krkmyvlmdg.xyz
0.0.0.0 lgdzbch.com
0.0.0.0 liahkhe.xyz
0.0.0.0 lljmbbk.com
0.0.0.0 lmbbnrhiuj.xyz
0.0.0.0 lwvurdsjk.org
0.0.0.0 lxghjoxzns.com
0.0.0.0 mnfbodivbv.com
0.0.0.0 mt5vsuf1.net
0.0.0.0 nfrmg1y.xyz
0.0.0.0 nwluoodzct.xyz
0.0.0.0 ocheyhv.xyz
0.0.0.0 okjojihgv.com
0.0.0.0 olimob.net
0.0.0.0 ortn13der.xyz
0.0.0.0 poiuwhejgr.com
0.0.0.0 pwtgnp.pw
0.0.0.0 qtwjhuj.com
0.0.0.0 rfjdhxbz.com
0.0.0.0 sjkfsdkg.com
0.0.0.0 trfvbnji7.com
0.0.0.0 urtyhfds.com
0.0.0.0 v9czaci.xyz
0.0.0.0 vortnomade.net
0.0.0.0 w9x7itu.xyz
0.0.0.0 www.mnfbodivbv.com
0.0.0.0 www.okjojihgv.com
0.0.0.0 y0vvbm.xyz
0.0.0.0 yq0z3d.xyz
# additional suspected GriftHorse from pDNS - 2021-10-21
0.0.0.0 down.tracksz.co
0.0.0.0 go.creativemobilemarketing.com
0.0.0.0 go.fastfinderworld.com
0.0.0.0 go.grandprizewinners.com
0.0.0.0 go.interlinkinternet.com
0.0.0.0 go.protectyoursearch.com
0.0.0.0 go.trackitalltheway.com
0.0.0.0 go.trackiteazy.com
0.0.0.0 go.watchwiser.com
# TangleBot domains, research based on - https://www.cloudmark.com/en/blog/mobile/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19
0.0.0.0 covid19-ca.link
0.0.0.0 hydro-ca.link
0.0.0.0 sock.godforgiveuss.live
0.0.0.0 sock.hhhhrkanandda.xyz
0.0.0.0 sock.nmnmnmfsamsfan.xyz
0.0.0.0 socktest.ankatras.xyz
0.0.0.0 vaccine-appointment.link
# Donot / Origami Elephant / APT-C-35 IOCs from Amnesty - https://github.com/AmnestyTech/investigations/blob/master/2021-10-07_donot/domains.txt
0.0.0.0 bulk.fun
0.0.0.0 apkv5.ppadaolnwod.xyz
0.0.0.0 apkv6.endurecif.top
0.0.0.0 getelements.xyz
0.0.0.0 fiddaz.club
0.0.0.0 lif0.top
0.0.0.0 fif0.top
0.0.0.0 chipp.pw
0.0.0.0 mimestyle.xyz
0.0.0.0 mangasiso.top
0.0.0.0 and.retardrattle.website
0.0.0.0 help.domainoutlet.site
0.0.0.0 whynotworkonit.top
0.0.0.0 spectronet.pw
0.0.0.0 full.naturalpercent.life
0.0.0.0 mimeversion.top
0.0.0.0 rythemsjoy.club
0.0.0.0 lowlight.xyz
0.0.0.0 inapturst.top
0.0.0.0 auth.forwardtoken.website
0.0.0.0 accounts.loginshare.info
0.0.0.0 seahome.top
0.0.0.0 imageview.xyz
0.0.0.0 flickry.xyz
0.0.0.0 apkv2.qwertykeypad.host
0.0.0.0 userauthen.pw
0.0.0.0 join.officeframe.work
0.0.0.0 zumba.tampotrust.agency
0.0.0.0 image.loadingmessage.info
# AbstractEmu hosts from https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign
0.0.0.0 jobs.illaewinstralinc.com
0.0.0.0 outline.abunddhighett.com
0.0.0.0 tags.illaryboucnc.com
0.0.0.0 cloud.nathompsstra.com
0.0.0.0 store.dianmpsoathom.com
0.0.0.0 fluency.ryboucoathom.com
0.0.0.0 csa.naaronegya.com
0.0.0.0 tips.ghetaldhighe.com
0.0.0.0 color.joarteauxelb.com
# Cynos hosts from https://vms.drweb.com/virus/?i=24972842 - 46bc4c6c87fcb519a8f315c0010b949d682ac3abee62b33bd624b251a3521b19
0.0.0.0 dns1.sdkbalance.com
0.0.0.0 dns2.sdkbalance.com
0.0.0.0 dns3.sdkbalance.com
0.0.0.0 sdk.sdkbalance.com
0.0.0.0 mg.sdkbalance.com
# PhoneSpy hosts from https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/ and pDNS related
0.0.0.0 acd.kcpro.ga
0.0.0.0 aki.kcpro.ga
0.0.0.0 arr.kcpro.tk
0.0.0.0 b.freespy1.ml
0.0.0.0 b.freespy1.tk
0.0.0.0 c.freespy1.ml
0.0.0.0 c.freespy1.tk
0.0.0.0 cef.kcpro.tk
0.0.0.0 cfs.kcpro.ga
0.0.0.0 d.freespy1.ml
0.0.0.0 d.freespy1.tk
0.0.0.0 dto.kcpro.ga
0.0.0.0 e.freespy1.ml
0.0.0.0 ejn.kcpro.ga
0.0.0.0 ern.kcpro.ga
0.0.0.0 f.freespy1.ml
0.0.0.0 f.freespy1.tk
0.0.0.0 freespy.cf
0.0.0.0 g.freespy1.ml
0.0.0.0 g.freespy1.tk
0.0.0.0 h.freespy1.ml
0.0.0.0 h.freespy1.tk
0.0.0.0 hxg.kcpro.ga
0.0.0.0 i.freespy1.ml
0.0.0.0 i.freespy1.tk
0.0.0.0 j.freespy1.ml
0.0.0.0 j.freespy1.tk
0.0.0.0 k.freespy1.ml
0.0.0.0 k.freespy1.tk
0.0.0.0 koreavopi.kro.kr
0.0.0.0 l.freespy1.ml
0.0.0.0 l.freespy1.tk
0.0.0.0 m.freespy1.ml
0.0.0.0 m.freespy1.tk
0.0.0.0 mda.kcpro.ga
0.0.0.0 mgo.kcpro.ga
0.0.0.0 n.freespy1.ml
0.0.0.0 n.freespy1.tk
0.0.0.0 o.freespy1.ml
0.0.0.0 o.freespy1.tk
0.0.0.0 oso.kcpro.ga
0.0.0.0 p.freespy1.ml
0.0.0.0 p.freespy1.tk
0.0.0.0 pql.kcpro.ga
0.0.0.0 wvv.kcpro.ga
0.0.0.0 ydc.kcpro.ga
0.0.0.0 zqn.kcpro.ga
0.0.0.0 zsx.kcpro.ga
# https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/
0.0.0.0 mobile.measurelib.com
0.0.0.0 measurelib.com
0.0.0.0 ami0wned.com
0.0.0.0 amiowned.com
0.0.0.0 arduous.work
0.0.0.0 attorney-client-privileged.com
0.0.0.0 attorney-client.org
0.0.0.0 attorneyclientprivileged.com
0.0.0.0 beachhackerspace.com
0.0.0.0 cloudwatchtower.com
0.0.0.0 consilio.lawyer
0.0.0.0 consiliolaw.com
0.0.0.0 darknetinfo.com
0.0.0.0 dataillusionist.com
0.0.0.0 easycalea.com
0.0.0.0 extremeexploits.com
0.0.0.0 extremeexploits.org
0.0.0.0 fraudpreventionsys.com
0.0.0.0 gleancorp.com
0.0.0.0 idme.org
0.0.0.0 indelibleblue.net
0.0.0.0 indelibleblueinc.net
0.0.0.0 internetcartography.com
0.0.0.0 internetcartography.net
0.0.0.0 internetcartography.org
0.0.0.0 littoralventures.com
0.0.0.0 marketinfo.tips
0.0.0.0 measurementsys.com
0.0.0.0 mxout.net
0.0.0.0 myaddress.today
0.0.0.0 ndagri.com
0.0.0.0 networkcartography.com
0.0.0.0 networkcartography.net
0.0.0.0 networkcartography.org
0.0.0.0 newdulcina.com
0.0.0.0 opensourcecontext.com
0.0.0.0 oppleman.org
0.0.0.0 oscontext.com
0.0.0.0 pathanalyzer.com
0.0.0.0 pathanalyzerpro.com
0.0.0.0 precise.fit
0.0.0.0 pwhois.net
0.0.0.0 pwhois.org
0.0.0.0 quietquell.com
0.0.0.0 trustcor.co
0.0.0.0 vbchs.com
0.0.0.0 vbchs.org
0.0.0.0 vbhacker.space
0.0.0.0 vbhackerspace.com
0.0.0.0 vbhackerspace.org
0.0.0.0 vostrom.ventures
0.0.0.0 whoisanalyzer.com
0.0.0.0 whoisanalyzerpro.com
0.0.0.0 mobile.fra2.measurelib.com
0.0.0.0 mobile.ams2.measurelib.com
# Telematicsdirect - from al-moazin-lite-prayer-times.apk - dcb56dc7b817dd65a1f5ebfe81cf36b85ad523990b8e4f69a4a1654d1cc8277c
0.0.0.0 nav.telematicsdirect.com
# SafeGraph / OpenLocate
# https://github.com/pablobaxter/openlocate-android
# https://www.vice.com/en/article/m7vymn/cdc-tracked-phones-location-data-curfews
0.0.0.0 api.safegraph.com
# daily-scratchers.apk / 22a80df1084af11129baef89bce0bafad0aaae41e58dc2bb6e7c27fd3f4bac49 /	me.actv8.tvwallet
0.0.0.0 actv8technologies.com
0.0.0.0 api-production-v4.actv8technologies.com
0.0.0.0 sonar.actv8technologies.com
# Joker - RelaxingMusicSootheYourBody_signed.apk - 14c35d1158cc47cfb605fdd686603b0929d38c046dce03fd6033fb8a31433798
0.0.0.0 novasdk.oss-cn-beijing.aliyuncs.com
# Joker - https://github.com/DoctorWebLtd/malware-iocs/tree/master/Android.Joker
# Note: domain offline since Feb 2022
0.0.0.0 ad.mobnv.com
# pDNS for 	161.117.252.102
0.0.0.0 app.mobnv.com
0.0.0.0 aff.fortunnecat.com
# WhatsApp mod distributed through legitimate apps:
# https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/?utm_source=everyonesocial&utm_medium=partner&utm_campaign=us_NA-newsletter_en0177&utm_content=sm-post&utm_term=us_everyonesocial_organic_an17748oyfteksz&es_id=cfde1a3994
0.0.0.0 wa.zcnewy.com
0.0.0.0 av2wg.rt14v.com
0.0.0.0 g1790.rt14v.com
# xnspy - 578a880848bc52bed83b2be817a148187fde129cc8ad50db49630c0ebf59102c - xnspyappv2.apk
# https://techcrunch.com/2022/12/12/xnspy-stalkerware-iphone-android/
0.0.0.0 alert.xiz4me.com
0.0.0.0 asset.xiz4me.com
0.0.0.0 sync.xiz4me.com
0.0.0.0 xiz4me.com
0.0.0.0 mydwnd.com
0.0.0.0 brilliant-flame-585.firebaseio.com
0.0.0.0 brilliant-flame-585.appspot.com
# xnspy - 7e3930771370ed111cdb83397a04fa7ee89f1ea35b7f5306bb1522b82bc6d38d
0.0.0.0 sync.bk128.com
0.0.0.0 alert.bk128.com
0.0.0.0 asset.bk128.com
0.0.0.0 bk128.com
# xnspy - 9114e561c42ea19b183ef5d8a36e743f2b873874e43d805b11e3753035c7900d
0.0.0.0 true-truck-86810.firebaseio.com
0.0.0.0 true-truck-86810.appspot.com
# Fleckpe - from https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/
0.0.0.0 ac.iprocam.xyz
0.0.0.0 ad.iprocam.xyz
0.0.0.0 ap.iprocam.xyz
0.0.0.0 b7.photoeffect.xyz
0.0.0.0 ba3.photoeffect.xyz
0.0.0.0 f0.photoeffect.xyz
0.0.0.0 m11.slimedit.live
0.0.0.0 m12.slimedit.live
0.0.0.0 m13.slimedit.live
0.0.0.0 ba.beautycam.xyz
0.0.0.0 f6.beautycam.xyz
0.0.0.0 f8a.beautycam.xyz
0.0.0.0 ae.mveditor.xyz
0.0.0.0 b8c.mveditor.xyz
0.0.0.0 d3.mveditor.xyz
0.0.0.0 fa.gifcam.xyz
0.0.0.0 fb.gifcam.xyz
0.0.0.0 fl.gifcam.xyz
0.0.0.0 a.hdmodecam.live
0.0.0.0 b.hdmodecam.live
0.0.0.0 l.hdmodecam.live
0.0.0.0 vd.toobox.online
0.0.0.0 ve.toobox.online
0.0.0.0 vt.toobox.online
0.0.0.0 t1.twmills.xyz
0.0.0.0 t2.twmills.xyz
0.0.0.0 t3.twmills.xyz
0.0.0.0 api.odskguo.xyz
0.0.0.0 gbcf.odskguo.xyz
0.0.0.0 track.odskguo.xyz
#AhRat - see https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/
0.0.0.0 order.80876dd5.shop
#AhRat - b2c1517e4b0e0b3286a5cde06310b2277da7333f5ab3c2828f08272e3f85b260 - iRecorder - Screen Recorder_2.0_apkcombo.com.apk
0.0.0.0 config.unityads.unity3d.com
0.0.0.0 config.unityads.unitychina.cn
0.0.0.0 init.supersonicads.com
0.0.0.0 logs.supersonic.com
0.0.0.0 outcome-ssp.supersonicads.com
0.0.0.0 supersonicads.com
# uBlock telemetry endpoint - adblock-stats.js  inside a01ff7dac823f3666e7f38527739802e5a7ce3cb539b6a390ca99d423b5c9779
# data sent even if telemetry is disabled
0.0.0.0 ublocker-chrome.com
# Cytrox Predator domains, see - https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/
0.0.0.0 almal-news.com
0.0.0.0 chat-support.support
0.0.0.0 cibeg.online
0.0.0.0 notifications-sec.com
0.0.0.0 wa-info.com
0.0.0.0 whatssapp.co
0.0.0.0 wts-app.info
0.0.0.0 sec-flare.com
0.0.0.0 verifyurl.me
0.0.0.0 c.betly.me
0.0.0.0 betly.me
0.0.0.0 web.whatssapp.co
0.0.0.0 whatspp.wa-info.com
0.0.0.0 notifications.wa-info.com
0.0.0.0 t-bit.me
# PEACHPIT and BADBOX, extended infrastructure (expansion by @craiu), see - https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf
0.0.0.0 adbsc.flyermobi.com
0.0.0.0 adbsc.ikmytech.com
0.0.0.0 adbsdk.flyermobi.com
0.0.0.0 admin.dofunapps.com
0.0.0.0 ads.dofunapps.com
0.0.0.0 ads.flyermobi.com
0.0.0.0 apkcar.com
0.0.0.0 ats.flyermobi.com
0.0.0.0 ats.ikmytech.com
0.0.0.0 cbphe.com
0.0.0.0 cbpheback.com
0.0.0.0 dcylog.com
0.0.0.0 flyermobi.com
0.0.0.0 n1.flyermobi.com
0.0.0.0 sdk.dofunapps.com
0.0.0.0 www.apkcar.com
0.0.0.0 www.flyermobi.com
0.0.0.0 ycxrl.com
0.0.0.0 ymex.apkcar.com
0.0.0.0 ymlog.apkcar.com
0.0.0.0 ymsdk.apkcar.com