# Various telemetry endpoints (hosts and domains) used by mobile location tracking libraries
# Contact: mobiletrackers [at] protonmail.ch
#
# Version 1.44 - 2023-10-05
#
# xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
127.0.0.1 bin5y4muil.execute-api.us-east-1.amazonaws.com
# unknown, possibly xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
127.0.0.1 8balwalz1i.execute-api.us-east-2.amazonaws.com
# unknowns - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
127.0.0.1 api.smartechmetrics.com
127.0.0.1 ck-running-apps-700f1.firebaseio.com
127.0.0.1 pie.wirelessregistry.com
# unknowns - 010f7bb33f35cc650b7d6104b07102eb0dbaf79bcec1f1c6255fdcaffefe6b68 - com.davidsukhin.com.sukhin.snowdaycalculator.SnowDay
# URLs below stored as base64 and encrypted xor 0x09 ->
127.0.0.1 udata.elephantdata.net
127.0.0.1 atb.bearclod.com
#pDNS data for the IPs associated with atb.bearclod.com ->
127.0.0.1 alb.bearclod.com
127.0.0.1 aly.bearclod.com
127.0.0.1 alz.bearclod.com
127.0.0.1 bivitis.bearclod.com
127.0.0.1 brt.bearclod.com
127.0.0.1 brul.bearclod.com
127.0.0.1 hfstat.bearclod.com
127.0.0.1 hkn01.bearclod.com
127.0.0.1 ply.bearclod.com
127.0.0.1 zoo.bearclod.com
# crashlytics - 4711634730d5367756bba4d776d846b01b8d0373336ea877a2c20b1da0a95477 - com.sgiggle.production_5.2.229629_1538560344.apk
127.0.0.1 settings.crashlytics.com
127.0.0.1 e.crashlytics.com
# starbolt - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
127.0.0.1 sdk.starbolt.io
127.0.0.1 dmp.starbolt.io
127.0.0.1 devices.starbolt.io
# sense360 ? - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
127.0.0.1 android-quinoa-config-prod.sense360eng.com
127.0.0.1 survey-notify-event.sense360eng.com
127.0.0.1 quinoa-personal-identify-prod.sense360eng.com
# appmeasurement - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
127.0.0.1 app-measurement.com
# newrelic - 2d4c9c037db43704f52968c9c363cbdf382cbb6a4b9143825f6e8b523b7c0c01 - com.crowdcompass.appmQaIam3e7C.apk
127.0.0.1 mobile-collector.newrelic.com
127.0.0.1 mobile-crash.newrelic.com
# Xiao mi related telemetry endpoints - see https://twitter.com/hookgab/status/1255859289945780225
127.0.0.1 data.mistat.india.xiaomi.com
127.0.0.1 data.mistat.intl.xiaomi.com
127.0.0.1 data.mistat.rus.xiaomi.com
127.0.0.1 tracking.rus.miui.com
127.0.0.1 tracking.intl.miui.com
127.0.0.1 tracking.india.miui.com
# from https://twitter.com/cybergibbons/status/1256703550954057729
127.0.0.1 sa.api.intl.miui.com
127.0.0.1 sa.api.india.miui.com
127.0.0.1 sa.api.rus.miui.com
# new xmodesocial - from https://mobile.twitter.com/guardianiosapp/status/1262545645941874689
127.0.0.1 api.myendpoint.io
# aggressive advertisers - https://securelist.com/in-app-advertising-in-android/97065/
# 1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd
# 134283b8efedc3d7244ba1b3a52e4a92  – com.xprodev.cutcam
# 3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner
127.0.0.1 ti.domainforlite.com
127.0.0.1 uu.domainforlite.com
# pDNS resolutions for uu.domainforlite.com, hosting on 47.252.80.195
127.0.0.1 adserver.hahamobi.com
127.0.0.1 analytics.hahamobi.com
127.0.0.1 analytics.salmonads.com
127.0.0.1 api.salmonads.com
127.0.0.1 dat.funheroic.com
127.0.0.1 lg.luckyforworlds.com
127.0.0.1 lg.requestads.com
127.0.0.1 lg.smardroid.com
127.0.0.1 log.adywind.com
127.0.0.1 log.mobpowertech.com
127.0.0.1 net.hahamobi.com
127.0.0.1 net.salmonads.com
127.0.0.1 us01.salmonads.com
# mobile ads, 2020-07-07, additions from https://securelist.com/pig-in-a-poke-smartphone-adware/97607/
127.0.0.1 www.ywupscsff.com
127.0.0.1 www.mzeibiyr.com
127.0.0.1 i151125.infourl.net
127.0.0.1 www.jueoxdr.com
127.0.0.1 ufz.doesxyz.com
127.0.0.1 htapi.getapiv8.com
127.0.0.1 stable.icecyber.org
127.0.0.1 404mobi.com
127.0.0.1 51ginkgo.com
127.0.0.1 lbjg7.com
127.0.0.1 bigdata800.com
127.0.0.1 apd1.warnlog.com
127.0.0.1 apd1.thunup.com
# mintegral, 2020-08-30, described at: https://snyk.io/research/sour-mint-malicious-sdk/
127.0.0.1 n.systemlog.me
127.0.0.1 setting.rayjump.com
127.0.0.1 analytics.rayjump.com
# from pDNS on n.systemlog.me ->
127.0.0.1 net.cleverjp.com
# from fake NEXTALIVE (moonfair) application - https://www.zdnet.com/article/google-removes-android-app-that-was-used-to-spy-on-belarusian-protesters/
127.0.0.1 arcpi.nextialive.roimaster.site
127.0.0.1 api.nextialive.roimaster.site
127.0.0.1 ws.nextialive.roimaster.site
127.0.0.1 nextialive.roimaster.site
127.0.0.1 api.dev.chat.roimaster.site
127.0.0.1 dev.chat.roimaster.site
# Joker download URLs / hosts as described by ZScaler - https://www.zscaler.com/blogs/security-research/joker-playing-hide-and-seek-google-play
127.0.0.1 2j1i9uqw.oss-eu-central-1.aliyuncs.com
127.0.0.1 blackdragon03.oss-ap-southeast-5.aliyuncs.com
127.0.0.1 blackdragon.oss-ap-southeast-5.aliyuncs.com
127.0.0.1 fgcxweasqw.oss-eu-central-1.aliyuncs.com
127.0.0.1 jk8681oy.oss-eu-central-1.aliyuncs.com
127.0.0.1 laodaoo.oss-ap-southeast-5.aliyuncs.com
127.0.0.1 n47n.oss-ap-southeast-5.aliyuncs.com
127.0.0.1 nineth03.oss-ap-southeast-5.aliyuncs.com
127.0.0.1 proxy48.oss-eu-central-1.aliyuncs.com
127.0.0.1 rinimae.oss-ap-southeast-5.aliyuncs.com
127.0.0.1 sahar.oss-us-east-1.aliyuncs.com
# Cerberus C2s as described by BitDefender - https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/
127.0.0.1 2fapass.club
127.0.0.1 androidradio.life
127.0.0.1 downdating.club
127.0.0.1 fitnessstrategy.xyz
127.0.0.1 groovefitness.xyz
127.0.0.1 loversfinder.xyz
127.0.0.1 positivefitness.club
127.0.0.1 safeyourdata.xyz
127.0.0.1 sport4ever.club
127.0.0.1 vipyoga.today
127.0.0.1 weatherclub.club
127.0.0.1 yoga4u.xyz
# unknown (?) telemetry receiving endpoints from:
# 066de93f181e9cbcb8611c675bbcb0fc - com.speedcamera.detector.radar.detector.direction
127.0.0.1 yqchpwxvbg.execute-api.us-east-1.amazonaws.com
127.0.0.1 pn8sm7rjuc.execute-api.us-east-1.amazonaws.com
# venntel / gravy analytics from https://github.com/sociam/PROWISH/blob/master/data/200appsdynamic.csv
# venntel / gravy analytics from https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf
# gravy analytics docs - http://developers.findgravy.com/products/gold-api/docs/index2.html
127.0.0.1 api.findgravy.com
127.0.0.1 nwzhmwux-api.findgravy.com
127.0.0.1 zmq5ytc1-api.findgravy.com
127.0.0.1 mtm1nwmx-api.findgravy.com
127.0.0.1 gravyanalytics.com
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
127.0.0.1 ws.findgravy.com
127.0.0.1 api.foozor.com
127.0.0.1 testapi.foozor.com
# potentially related hosts on top of findgravy.com
127.0.0.1 img01.findgravy.com
127.0.0.1 img02.findgravy.com
127.0.0.1 img03.findgravy.com
127.0.0.1 img04.findgravy.com
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
127.0.0.1 pushapi.localytics.com
127.0.0.1 analytics.localytics.com
127.0.0.1 profile.localytics.com
# cuebiq location sdk from ->
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
127.0.0.1 in.cuebiq.com
127.0.0.1 ingestion-api.kiwi.sand.cuebiq.ai
# nodle.io sdk from ->
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
127.0.0.1 dev.nodle.io
127.0.0.1 us-central1-production-242307.cloudfunctions.net
# unknown sdk from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass possibly xmode related
# more crashlytics hosts from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
127.0.0.1 firebase-settings.crashlytics.com
127.0.0.1 update.crashlytics.com
127.0.0.1 reports.crashlytics.com
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass ->
127.0.0.1 pixelprose.fr
# appsflyer from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
127.0.0.1 onelink.me
127.0.0.1 onelnk.com
127.0.0.1 app.aflink.com
127.0.0.1 t.appsflyer.com
# other various telemetry endpoints (not necessarily location related) from from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
127.0.0.1 api.mixpanel.com
127.0.0.1 decide.mixpanel.com
127.0.0.1 cdn.optimizely.com
127.0.0.1 logx.optimizely.com
127.0.0.1 outline.truecaller.com
127.0.0.1 api4.truecaller.com
127.0.0.1 c.webengage.com
127.0.0.1 p.webengage.com
127.0.0.1 api.branch.io
127.0.0.1 bnc.lt
127.0.0.1 cdn.branch.io
127.0.0.1 js.intercomcdn.com
127.0.0.1 mobile-sdk-api.intercom.io
# Clevertap's wzrkt.com - also see https://twitter.com/fs0c131y/status/977267255309463554
127.0.0.1 wzrkt.com
127.0.0.1 in.wzrkt.com
# subdomains from wzrkt.com - https://subdomainfinder.c99.nl/scans/2020-04-19/wzrkt.com
127.0.0.1 api.wzrkt.com
127.0.0.1 cb.wzrkt.com
127.0.0.1 eu1-spiky.wzrkt.com
127.0.0.1 eu1.alb.wzrkt.com
127.0.0.1 eu1.wzrkt.com
127.0.0.1 in.cb.wzrkt.com
127.0.0.1 in1-spiky.wzrkt.com
127.0.0.1 in1.alb.wzrkt.com
127.0.0.1 in1.wzrkt.com
127.0.0.1 sg1-spiky.wzrkt.com
127.0.0.1 sg1.cb.wzrkt.com
127.0.0.1 sg1.wzrkt.com
127.0.0.1 sk1-spiky.wzrkt.com
127.0.0.1 sk1-staging-1.wzrkt.com
127.0.0.1 sk1-staging-10.wzrkt.com
127.0.0.1 sk1-staging-2.wzrkt.com
127.0.0.1 sk1-staging-3.wzrkt.com
127.0.0.1 sk1-staging-4.wzrkt.com
127.0.0.1 sk1-staging-5.wzrkt.com
127.0.0.1 sk1-staging-6.wzrkt.com
127.0.0.1 sk1-staging-7.wzrkt.com
127.0.0.1 sk1-staging-8.wzrkt.com
127.0.0.1 sk1-staging-9.wzrkt.com
127.0.0.1 sk1.wzrkt.com
127.0.0.1 us1-spiky.wzrkt.com
127.0.0.1 us1.cb.wzrkt.com
127.0.0.1 us1.wzrkt.com
# from cb9f6bb72a9766ba8c805c25769b47c46751052706bb41ed333db0b42cd586ff - 	com.byjus.thelearningapp
# also see https://digitalwatchdog.org/wp-content/uploads/2020/09/IDAC-Ed-Tech-Report_AppendixB_SensitiveData.pdf
127.0.0.1 api.tllms.com
127.0.0.1 marketing.tllms.com
# from 09f5bcadde3351eb3f509f5a471cbd7bb00536292da560bcf8ee59eb73116f00 - luo.speedometergps
# teragence ->
127.0.0.1 control.teragence.net
127.0.0.1 pfsense02-01.is-61194.teragence.net
# tutela ->
127.0.0.1 upload-tutelawest.s3-accelerate.amazonaws.com
127.0.0.1 reporting-util.tutelatechnologies.com
127.0.0.1 hail-reporting.tutelatechnologies.com
127.0.0.1 thepopulator.tutelatechnologies.com
# huq (also from 9c53a29a7e6a871f57b20097185a09afd2ff818455a42792d502f1eb8f2e3679) ->
127.0.0.1 api.huqindustries.co.uk
127.0.0.1 report.huqindustries.co.uk
127.0.0.1 charles.huqindustries.co.uk
# IOCs from https://www.whiteops.com/blog/somewhere-over-the-rainbowmix
127.0.0.1 api.pythonexample.com
# Predicio - from Funny Weather - pl.lawiusz.funnyweather.release.apk - 6d23151e69a57f67111d4969594316576577ae8a2015aff336ab6ef0fb2a07b4
# see https://www.vice.com/en/article/epdpdm/ice-dhs-fbi-location-data-venntel-apps
127.0.0.1 sdk.predic.io
# Kinesis endpoint from Funny Weather:
127.0.0.1 kinesis.ap-southeast-1.amazonaws.com
# Complementics endpoints from 4ba50272718c95af20940912c7968410d797fbc07dcce2bad8183b94887b0ab4
127.0.0.1 sdk-as.complementics.com
127.0.0.1 static.complementics.com
# Goontact from https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail
127.0.0.1 redvios.com
127.0.0.1 v-talk.top
127.0.0.1 v-talk.vip
127.0.0.1 ladysizi.top
127.0.0.1 mmbox.top
127.0.0.1 oncamera.top
127.0.0.1 oncast.top
127.0.0.1 mimibox.top
127.0.0.1 voicecontrol.top
127.0.0.1 signaltalk.top
127.0.0.1 oncamera.vip
127.0.0.1 dalbam.vip
127.0.0.1 mimimsg.net
127.0.0.1 signal-live.vip
127.0.0.1 tele-gram.vip
127.0.0.1 vtalk.vip
127.0.0.1 a-video.vip
127.0.0.1 livetalk.vip
127.0.0.1 livetalk.top
127.0.0.1 download-file.top
127.0.0.1 grd77.cn
127.0.0.1 mimicwt.net
127.0.0.1 super-voice.vip
127.0.0.1 mimi18s.top
127.0.0.1 momomsg.top
127.0.0.1 live-live.vip
127.0.0.1 zerobyte.top
127.0.0.1 zerobt.net
127.0.0.1 w-video.vip
127.0.0.1 ser-chat.com
127.0.0.1 tocast.vip
127.0.0.1 videosound.vip
127.0.0.1 twi-tter.vip
127.0.0.1 my-player.vip
127.0.0.1 voicesupport.vip
# Joker from https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/
127.0.0.1 gd-1301476296.cos.na-toronto.myqcloud.com
# Related to: https://github.com/greatsuspender/thegreatsuspender/issues/1175
# and: https://www.theregister.com/2021/01/07/great_suspender_malware/
127.0.0.1 cdn.owebanalytics.com
127.0.0.1 static.trckingbyte.com
127.0.0.1 static.trckpath.com
127.0.0.1 static.privacytrck.com
127.0.0.1 rctphvxwnjhx.pw
127.0.0.1 hanstrackr.com
# Postlo spyware - https://twitter.com/ESETresearch/status/1374889857403785218?s=20
127.0.0.1 api.mainrepo.org
# EvilEye malware C2s mentioned at https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/
127.0.0.1 anayurt.net
127.0.0.1 apkprue.info
127.0.0.1 geo2ipapi.org
127.0.0.1 gotossl.ml
127.0.0.1 icptime.com
127.0.0.1 istiqlaihaber.com
127.0.0.1 misran.org
127.0.0.1 newyorkingsite.com
127.0.0.1 playgoog1e.com
127.0.0.1 preservtyg.com
127.0.0.1 sslportservices.com
127.0.0.1 strunhvgpk.com
127.0.0.1 uhtpuerdfbnm.com
127.0.0.1 uyghur-news.com
127.0.0.1 uyghur-soft-market.com
127.0.0.1 uyghurhaber.com
127.0.0.1 www.apkhl.pw
127.0.0.1 apkhl.pw
127.0.0.1 www.apkpure.bz
127.0.0.1 apkpure.bz
# Xcodespy - https://labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/
127.0.0.1 www.liveupdate.cc
127.0.0.1 www.appmarket.co
127.0.0.1 www.recentnews.cc
127.0.0.1 www.truckrental.cc
127.0.0.1 www.everestnote.com
127.0.0.1 www.alinbox.co
127.0.0.1 www.suppro.co
# APKPure compromise by Triada malware - https://securelist.com/apkpure-android-app-store-infected/101845/
127.0.0.1 wcf.seven1029.com
127.0.0.1 foodin.site
# Triada from https://securelist.com/triada-trojan-in-whatsapp-mod/103679/
# Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de
127.0.0.1 t1k22.c8xwor.com
127.0.0.1 dgmxn.c8xwor.com
# Tutela technologies - f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc - org.speedspot.speedanalytics
127.0.0.1 reporting.tutelatechnologies.com
127.0.0.1 video-url.tutelatechnologies.com
127.0.0.1 d3clybje3sun07.cloudfront.net
# speedspot - reports GPS location, other data - SpeedtestResultViews.java - inside f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc
127.0.0.1 api.speedspot.org
127.0.0.1 www.speedcheck.org
127.0.0.1 net.etrality.com
127.0.0.1 a2.etrality.com
127.0.0.1 a1.etrality.com
127.0.0.1 c4.etrality.com
127.0.0.1 b3.etrality.com
127.0.0.1 c3.etrality.com
127.0.0.1 b2.etrality.com
127.0.0.1 c2.etrality.com
127.0.0.1 b1.etrality.com
127.0.0.1 c1.etrality.com
127.0.0.1 wpc.a3cd.edgecastcdn.net
127.0.0.1 speedspot.speedspot.netdna-cdn.com
127.0.0.1 www.speedspot5.com
127.0.0.1 www.speedspot1.com
127.0.0.1 www.speedspot7.com
127.0.0.1 www.speedspot2.com
127.0.0.1 www.speedspot3.com
127.0.0.1 www.speedspot4.com
127.0.0.1 www.speedspot6.com
#Kochava endpoints, from rugabunda https://beta.pithus.org/report/844aa271ef47f7807ab3ccc63952e2215298701a6851857c22456317927f08fd
127.0.0.1 co.akisinn.info
127.0.0.1 co.dewrain.life
127.0.0.1 co.vaicore.site
127.0.0.1 co.vaicore.xyz
127.0.0.1 int.akisinn.info
127.0.0.1 int.akisinn.me
127.0.0.1 int.akisinn.site
127.0.0.1 int.dewrain.life
127.0.0.1 int.dewrain.site
127.0.0.1 int.dewrain.world
127.0.0.1 int.vaicore.site
127.0.0.1 int.vaicore.store
127.0.0.1 int.vaicore.xyz
127.0.0.1 int.vlancaa.site
127.0.0.1 int.vlancaa.fun
127.0.0.1 tok.vaicore.xyz
127.0.0.1 vaicore.xyz
127.0.0.1 web.ab-salute.com
127.0.0.1 smart.link
# Adeco and inappertising - see https://www.occrp.org/en/investigations/how-a-russian-mobile-app-developer-recruited-phones-into-a-secret-ad-watching-robot-army
# Ultimate-Mortal-Kombat-3-v1-1.apk - https://www.virustotal.com/gui/file/dc078b004830ff03a27371bbc1c4a7b5882d5a0fb577a8477c09e8b3bfe0d6d3/details
127.0.0.1 cfg.inappertising.org
127.0.0.1 stats.inappertising.org
127.0.0.1 app-stats.net2share.com
127.0.0.1 s.net2share.com
127.0.0.1 adeco.adecosystems.com
127.0.0.1 dd.adecosystems.com
# GriftHorse Android from - https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/
127.0.0.1 hotofecro.com
127.0.0.1 alaiblompass.com
127.0.0.1 heartratteandpulsetracker.com
127.0.0.1 icoonectedtrack.com
127.0.0.1 ospocatracker.com
127.0.0.1 laalaslirayeblection.com
127.0.0.1 iblompass.com
127.0.0.1 smalllcalllrecorder.com
127.0.0.1 anguaganslatast.com
127.0.0.1 oroscopemestry.com
127.0.0.1 blompascator.com
127.0.0.1 leunoon.com
127.0.0.1 arindocation.com
127.0.0.1 rooitor.com
127.0.0.1 mychattranslator.club
127.0.0.1 rulapptoplan.com
127.0.0.1 rportranslator.com
127.0.0.1 muslimasauda.com
127.0.0.1 martpolocator.com
127.0.0.1 wfupppx.com
127.0.0.1 scandocnotes.com
127.0.0.1 freecoupon21.com
127.0.0.1 ponyvideochat.com
127.0.0.1 ludamec.com
127.0.0.1 chat-transa.com
127.0.0.1 soulscanneryh.com
127.0.0.1 d3cameraplan.com
127.0.0.1 qibla-ultima.com
127.0.0.1 zoofanimalm.com
127.0.0.1 ciaolvc.com
127.0.0.1 heartrateproxhealthmonitor.com
127.0.0.1 bus-metrolis.com
127.0.0.1 truck-rouddrive.com
127.0.0.1 locatinfind.com
127.0.0.1 camerdentifier.com
127.0.0.1 locatorqiafindlocation.com
127.0.0.1 cocachar.com
127.0.0.1 squishyp.com
127.0.0.1 antranslaro.com
127.0.0.1 ftphotom.com
127.0.0.1 lockul.com
127.0.0.1 fingerprihanger.com
127.0.0.1 locatorshar.com
127.0.0.1 kfcwsa.com
127.0.0.1 gpsphonuetrackerfamilylocator.com
127.0.0.1 cailrecorder.com
127.0.0.1 tqiblacompas.com
127.0.0.1 kvprojectop.com
127.0.0.1 pikchoeditor.com
127.0.0.1 streetprocarsracingss.com
127.0.0.1 nemaeovies.com
127.0.0.1 aecodero.com
127.0.0.1 ivlewepapallrbkragonucd.com
127.0.0.1 heartrateandmealtracker.com
127.0.0.1 phonecontrolblockspamcalls.com
127.0.0.1 etcotater.com
127.0.0.1 canopoument.com
127.0.0.1 locxfindxlocx.com
127.0.0.1 mnesytrlatr.com
127.0.0.1 huntcontactz.com
127.0.0.1 intelgenttran.com
127.0.0.1 facenalyer.com
127.0.0.1 fnbdeiegpslocoiatntcrkaer.com
127.0.0.1 trcalluecodr.com
127.0.0.1 qrreaderpro.com
127.0.0.1 itranstxtvoicepht.com
127.0.0.1 qiberiblaon.com
127.0.0.1 iconylc.com
127.0.0.1 lsepeanitor.com
127.0.0.1 fxkwboard.com
127.0.0.1 dehcoveanager.com
127.0.0.1 tickeakhatsp.com
127.0.0.1 phoneboster.com
127.0.0.1 phonfinbyclap.com
127.0.0.1 aralaper.com
127.0.0.1 qibdirctiowa.com
127.0.0.1 islsrickers.com
127.0.0.1 feartranslator.com
127.0.0.1 vpnzfep.com
127.0.0.1 snaplens-pt.com
127.0.0.1 qiblassirection.com
127.0.0.1 easyvshow.com
127.0.0.1 qibla-quran.com
127.0.0.1 qrcodesscan.com
127.0.0.1 hoolives.com
127.0.0.1 burivingsim.com
127.0.0.1 coupongiftsnstashop.com
127.0.0.1 fingdefend.com
127.0.0.1 projectormp.com
127.0.0.1 forzahmobile.com
127.0.0.1 artateulseonitor.com
127.0.0.1 sslasmr.com
127.0.0.1 bagscaner.com
127.0.0.1 phonecallerscreen.com
127.0.0.1 datingappswmt.com
127.0.0.1 lifeel-scan.com
127.0.0.1 colorizerset.club
127.0.0.1 expresscreditcash.com
127.0.0.1 ccallerx.com
127.0.0.1 transatitonneap.com
127.0.0.1 lasouncherio.com
127.0.0.1 claptfindzmphone.com
127.0.0.1 mirrorscreencasttvv.com
127.0.0.1 ircleocatinder.com
127.0.0.1 mobleingsder.com
127.0.0.1 proocallerr.com
127.0.0.1 frecalwolwid.com
127.0.0.1 allelpcoonmber.com
127.0.0.1 faspulhearratmoni.com
127.0.0.1 fincconttact.com
127.0.0.1 uncherdroid.com
127.0.0.1 iveilembercker.com
127.0.0.1 lepamcker.com
127.0.0.1 lockaaocker.com
127.0.0.1 onarchbylap.com
127.0.0.1 secontranslatpr.com
127.0.0.1 tgscontakcs.com
127.0.0.1 callwhozdine.com
127.0.0.1 perargero.com
127.0.0.1 mylocatorplus.club
127.0.0.1 comclap.club
127.0.0.1 callerids.club
127.0.0.1 instantspeechtranslation.club
127.0.0.1 photoeditorbest.club
127.0.0.1 piction.club
127.0.0.1 driveriders.club
127.0.0.1 skycoachgg.club
127.0.0.1 ffitnesstrainer.club
127.0.0.1 racerscardriver.club
127.0.0.1 fitnessdias.club
127.0.0.1 meetingonlinechat.club
127.0.0.1 fitnessgymup.club
127.0.0.1 editsbackground.club
127.0.0.1 cutcutpro.club
127.0.0.1 drivingexpiriencesimulator.club
127.0.0.1 clipbuddy.club
127.0.0.1 horoscopefortune.club
127.0.0.1 ludospeakeasy.club
127.0.0.1 fitnesspoint.club
127.0.0.1 wallvoluminousfourk.club
127.0.0.1 cvectorart.club
127.0.0.1 ludospeakv2.club
127.0.0.1 callrecordpro.club
127.0.0.1 carracer.club
127.0.0.1 slimesimulator.club
127.0.0.1 offroaderssurvive.club
127.0.0.1 lending-online.club
127.0.0.1 controlcenterios.club
127.0.0.1 streetracingg.club
127.0.0.1 checkheart.club
127.0.0.1 keyboardthemes.club
127.0.0.1 whatsmesticker.club
127.0.0.1 batterychargingeffect.club
127.0.0.1 luxoreditor.club
127.0.0.1 lionflix.club
127.0.0.1 amazingvideoeditor.club
127.0.0.1 zodiachand.club
127.0.0.1 zeusalmighty.club
127.0.0.1 pharaohsadventure.club
127.0.0.1 batterylivewallpaperhd.club
127.0.0.1 comqubla.club
127.0.0.1 safelock.club
127.0.0.1 heartrhythm.club
127.0.0.1 easybassbooster.club
127.0.0.1 comphotolab.club
# GriftHorse Second-Stage Domain
127.0.0.1 678ikmbtui.com
# GriftHorse Third-Stage Domains
127.0.0.1 safe-link.mobi
127.0.0.1 at.gogameportal.club
127.0.0.1 activate-your-account-now.com
127.0.0.1 continue-to-get-content-now.com
127.0.0.1 your-access-here.com
127.0.0.1 app.buenosocial.club
127.0.0.1 join.crazymob.co
127.0.0.1 vl.denrok.space
127.0.0.1 www.timpromos.com.br
127.0.0.1 campaignmanager.fun.moobig.com
127.0.0.1 get-your-access-now.com
127.0.0.1 v.mobzones.com
127.0.0.1 mt2-sdp4.mt-2.co
127.0.0.1 go.whatabookmark.com
127.0.0.1 lp.shoopadoo.com
127.0.0.1 es.mobiplus.me
127.0.0.1 af.to.123games.club
127.0.0.1 be.startdownload.mobi
127.0.0.1 za.startdownload.mobi
127.0.0.1 n.appspool.net
127.0.0.1 wap.trend-tech.net
127.0.0.1 fr.chillaxgames.mobi
127.0.0.1 tracking.hexilo.com
# Suspected GriftHorse from pDNS 	185.255.179.131 / 185.255.179.132 ->
127.0.0.1 1g7kvrv.xyz
127.0.0.1 2fnoqifq.com
127.0.0.1 2g8cvdii.com
127.0.0.1 2oafxcbq.xyz
127.0.0.1 5rfvbnji9.com
127.0.0.1 7lc6jc.xyz
127.0.0.1 7nvdx0.xyz
127.0.0.1 8sghnct.xyz
127.0.0.1 berf4o.xyz
127.0.0.1 blfnf9y.com
127.0.0.1 brlyp4pg.com
127.0.0.1 chulahfi.xyz
127.0.0.1 cmvkvncsse.xyz
127.0.0.1 cophico.pw
127.0.0.1 cwkjravqsj.xyz
127.0.0.1 dhfvbsihjf.com
127.0.0.1 dsfhskln.com
127.0.0.1 eksndtpf.org
127.0.0.1 emraiyz.xyz
127.0.0.1 eok8wd5v.net
127.0.0.1 erbfzk.com
127.0.0.1 ersokbkj.com
127.0.0.1 fdfjhks.com
127.0.0.1 ffnbafc.xyz
127.0.0.1 hrvxkxq.xyz
127.0.0.1 il0baz.com
127.0.0.1 jduzuyd.com
127.0.0.1 jsdfbhsa.com
127.0.0.1 jydfoafcaf.xyz
127.0.0.1 kgr0aixa.xyz
127.0.0.1 krkmyvlmdg.xyz
127.0.0.1 lgdzbch.com
127.0.0.1 liahkhe.xyz
127.0.0.1 lljmbbk.com
127.0.0.1 lmbbnrhiuj.xyz
127.0.0.1 lwvurdsjk.org
127.0.0.1 lxghjoxzns.com
127.0.0.1 mnfbodivbv.com
127.0.0.1 mt5vsuf1.net
127.0.0.1 nfrmg1y.xyz
127.0.0.1 nwluoodzct.xyz
127.0.0.1 ocheyhv.xyz
127.0.0.1 okjojihgv.com
127.0.0.1 olimob.net
127.0.0.1 ortn13der.xyz
127.0.0.1 poiuwhejgr.com
127.0.0.1 pwtgnp.pw
127.0.0.1 qtwjhuj.com
127.0.0.1 rfjdhxbz.com
127.0.0.1 sjkfsdkg.com
127.0.0.1 trfvbnji7.com
127.0.0.1 urtyhfds.com
127.0.0.1 v9czaci.xyz
127.0.0.1 vortnomade.net
127.0.0.1 w9x7itu.xyz
127.0.0.1 www.mnfbodivbv.com
127.0.0.1 www.okjojihgv.com
127.0.0.1 y0vvbm.xyz
127.0.0.1 yq0z3d.xyz
# additional suspected GriftHorse from pDNS - 2021-10-21
127.0.0.1 down.tracksz.co
127.0.0.1 go.creativemobilemarketing.com
127.0.0.1 go.fastfinderworld.com
127.0.0.1 go.grandprizewinners.com
127.0.0.1 go.interlinkinternet.com
127.0.0.1 go.protectyoursearch.com
127.0.0.1 go.trackitalltheway.com
127.0.0.1 go.trackiteazy.com
127.0.0.1 go.watchwiser.com
# TangleBot domains, research based on - https://www.cloudmark.com/en/blog/mobile/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19
127.0.0.1 covid19-ca.link
127.0.0.1 hydro-ca.link
127.0.0.1 sock.godforgiveuss.live
127.0.0.1 sock.hhhhrkanandda.xyz
127.0.0.1 sock.nmnmnmfsamsfan.xyz
127.0.0.1 socktest.ankatras.xyz
127.0.0.1 vaccine-appointment.link
# Donot / Origami Elephant / APT-C-35 IOCs from Amnesty - https://github.com/AmnestyTech/investigations/blob/master/2021-10-07_donot/domains.txt
127.0.0.1 bulk.fun
127.0.0.1 apkv5.ppadaolnwod.xyz
127.0.0.1 apkv6.endurecif.top
127.0.0.1 getelements.xyz
127.0.0.1 fiddaz.club
127.0.0.1 lif0.top
127.0.0.1 fif0.top
127.0.0.1 chipp.pw
127.0.0.1 mimestyle.xyz
127.0.0.1 mangasiso.top
127.0.0.1 and.retardrattle.website
127.0.0.1 help.domainoutlet.site
127.0.0.1 whynotworkonit.top
127.0.0.1 spectronet.pw
127.0.0.1 full.naturalpercent.life
127.0.0.1 mimeversion.top
127.0.0.1 rythemsjoy.club
127.0.0.1 lowlight.xyz
127.0.0.1 inapturst.top
127.0.0.1 auth.forwardtoken.website
127.0.0.1 accounts.loginshare.info
127.0.0.1 seahome.top
127.0.0.1 imageview.xyz
127.0.0.1 flickry.xyz
127.0.0.1 apkv2.qwertykeypad.host
127.0.0.1 userauthen.pw
127.0.0.1 join.officeframe.work
127.0.0.1 zumba.tampotrust.agency
127.0.0.1 image.loadingmessage.info
# AbstractEmu hosts from https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign
127.0.0.1 jobs.illaewinstralinc.com
127.0.0.1 outline.abunddhighett.com
127.0.0.1 tags.illaryboucnc.com
127.0.0.1 cloud.nathompsstra.com
127.0.0.1 store.dianmpsoathom.com
127.0.0.1 fluency.ryboucoathom.com
127.0.0.1 csa.naaronegya.com
127.0.0.1 tips.ghetaldhighe.com
127.0.0.1 color.joarteauxelb.com
# Cynos hosts from https://vms.drweb.com/virus/?i=24972842 - 46bc4c6c87fcb519a8f315c0010b949d682ac3abee62b33bd624b251a3521b19
127.0.0.1 dns1.sdkbalance.com
127.0.0.1 dns2.sdkbalance.com
127.0.0.1 dns3.sdkbalance.com
127.0.0.1 sdk.sdkbalance.com
127.0.0.1 mg.sdkbalance.com
# PhoneSpy hosts from https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/ and pDNS related
127.0.0.1 acd.kcpro.ga
127.0.0.1 aki.kcpro.ga
127.0.0.1 arr.kcpro.tk
127.0.0.1 b.freespy1.ml
127.0.0.1 b.freespy1.tk
127.0.0.1 c.freespy1.ml
127.0.0.1 c.freespy1.tk
127.0.0.1 cef.kcpro.tk
127.0.0.1 cfs.kcpro.ga
127.0.0.1 d.freespy1.ml
127.0.0.1 d.freespy1.tk
127.0.0.1 dto.kcpro.ga
127.0.0.1 e.freespy1.ml
127.0.0.1 ejn.kcpro.ga
127.0.0.1 ern.kcpro.ga
127.0.0.1 f.freespy1.ml
127.0.0.1 f.freespy1.tk
127.0.0.1 freespy.cf
127.0.0.1 g.freespy1.ml
127.0.0.1 g.freespy1.tk
127.0.0.1 h.freespy1.ml
127.0.0.1 h.freespy1.tk
127.0.0.1 hxg.kcpro.ga
127.0.0.1 i.freespy1.ml
127.0.0.1 i.freespy1.tk
127.0.0.1 j.freespy1.ml
127.0.0.1 j.freespy1.tk
127.0.0.1 k.freespy1.ml
127.0.0.1 k.freespy1.tk
127.0.0.1 koreavopi.kro.kr
127.0.0.1 l.freespy1.ml
127.0.0.1 l.freespy1.tk
127.0.0.1 m.freespy1.ml
127.0.0.1 m.freespy1.tk
127.0.0.1 mda.kcpro.ga
127.0.0.1 mgo.kcpro.ga
127.0.0.1 n.freespy1.ml
127.0.0.1 n.freespy1.tk
127.0.0.1 o.freespy1.ml
127.0.0.1 o.freespy1.tk
127.0.0.1 oso.kcpro.ga
127.0.0.1 p.freespy1.ml
127.0.0.1 p.freespy1.tk
127.0.0.1 pql.kcpro.ga
127.0.0.1 wvv.kcpro.ga
127.0.0.1 ydc.kcpro.ga
127.0.0.1 zqn.kcpro.ga
127.0.0.1 zsx.kcpro.ga
# https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/
127.0.0.1 mobile.measurelib.com
127.0.0.1 measurelib.com
127.0.0.1 ami0wned.com
127.0.0.1 amiowned.com
127.0.0.1 arduous.work
127.0.0.1 attorney-client-privileged.com
127.0.0.1 attorney-client.org
127.0.0.1 attorneyclientprivileged.com
127.0.0.1 beachhackerspace.com
127.0.0.1 cloudwatchtower.com
127.0.0.1 consilio.lawyer
127.0.0.1 consiliolaw.com
127.0.0.1 darknetinfo.com
127.0.0.1 dataillusionist.com
127.0.0.1 easycalea.com
127.0.0.1 extremeexploits.com
127.0.0.1 extremeexploits.org
127.0.0.1 fraudpreventionsys.com
127.0.0.1 gleancorp.com
127.0.0.1 idme.org
127.0.0.1 indelibleblue.net
127.0.0.1 indelibleblueinc.net
127.0.0.1 internetcartography.com
127.0.0.1 internetcartography.net
127.0.0.1 internetcartography.org
127.0.0.1 littoralventures.com
127.0.0.1 marketinfo.tips
127.0.0.1 measurementsys.com
127.0.0.1 mxout.net
127.0.0.1 myaddress.today
127.0.0.1 ndagri.com
127.0.0.1 networkcartography.com
127.0.0.1 networkcartography.net
127.0.0.1 networkcartography.org
127.0.0.1 newdulcina.com
127.0.0.1 opensourcecontext.com
127.0.0.1 oppleman.org
127.0.0.1 oscontext.com
127.0.0.1 pathanalyzer.com
127.0.0.1 pathanalyzerpro.com
127.0.0.1 precise.fit
127.0.0.1 pwhois.net
127.0.0.1 pwhois.org
127.0.0.1 quietquell.com
127.0.0.1 trustcor.co
127.0.0.1 vbchs.com
127.0.0.1 vbchs.org
127.0.0.1 vbhacker.space
127.0.0.1 vbhackerspace.com
127.0.0.1 vbhackerspace.org
127.0.0.1 vostrom.ventures
127.0.0.1 whoisanalyzer.com
127.0.0.1 whoisanalyzerpro.com
127.0.0.1 mobile.fra2.measurelib.com
127.0.0.1 mobile.ams2.measurelib.com
# Telematicsdirect - from al-moazin-lite-prayer-times.apk - dcb56dc7b817dd65a1f5ebfe81cf36b85ad523990b8e4f69a4a1654d1cc8277c
127.0.0.1 nav.telematicsdirect.com
# SafeGraph / OpenLocate
# https://github.com/pablobaxter/openlocate-android
# https://www.vice.com/en/article/m7vymn/cdc-tracked-phones-location-data-curfews
127.0.0.1 api.safegraph.com
# daily-scratchers.apk / 22a80df1084af11129baef89bce0bafad0aaae41e58dc2bb6e7c27fd3f4bac49 /	me.actv8.tvwallet
127.0.0.1 actv8technologies.com
127.0.0.1 api-production-v4.actv8technologies.com
127.0.0.1 sonar.actv8technologies.com
# Joker - RelaxingMusicSootheYourBody_signed.apk - 14c35d1158cc47cfb605fdd686603b0929d38c046dce03fd6033fb8a31433798
127.0.0.1 novasdk.oss-cn-beijing.aliyuncs.com
# Joker - https://github.com/DoctorWebLtd/malware-iocs/tree/master/Android.Joker
# Note: domain offline since Feb 2022
127.0.0.1 ad.mobnv.com
# pDNS for 	161.117.252.102
127.0.0.1 app.mobnv.com
127.0.0.1 aff.fortunnecat.com
# WhatsApp mod distributed through legitimate apps:
# https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/?utm_source=everyonesocial&utm_medium=partner&utm_campaign=us_NA-newsletter_en0177&utm_content=sm-post&utm_term=us_everyonesocial_organic_an17748oyfteksz&es_id=cfde1a3994
127.0.0.1 wa.zcnewy.com
127.0.0.1 av2wg.rt14v.com
127.0.0.1 g1790.rt14v.com
# xnspy - 578a880848bc52bed83b2be817a148187fde129cc8ad50db49630c0ebf59102c - xnspyappv2.apk
# https://techcrunch.com/2022/12/12/xnspy-stalkerware-iphone-android/
127.0.0.1 alert.xiz4me.com
127.0.0.1 asset.xiz4me.com
127.0.0.1 sync.xiz4me.com
127.0.0.1 xiz4me.com
127.0.0.1 mydwnd.com
127.0.0.1 brilliant-flame-585.firebaseio.com
127.0.0.1 brilliant-flame-585.appspot.com
# xnspy - 7e3930771370ed111cdb83397a04fa7ee89f1ea35b7f5306bb1522b82bc6d38d
127.0.0.1 sync.bk128.com
127.0.0.1 alert.bk128.com
127.0.0.1 asset.bk128.com
127.0.0.1 bk128.com
# xnspy - 9114e561c42ea19b183ef5d8a36e743f2b873874e43d805b11e3753035c7900d
127.0.0.1 true-truck-86810.firebaseio.com
127.0.0.1 true-truck-86810.appspot.com
# Fleckpe - from https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/
127.0.0.1 ac.iprocam.xyz
127.0.0.1 ad.iprocam.xyz
127.0.0.1 ap.iprocam.xyz
127.0.0.1 b7.photoeffect.xyz
127.0.0.1 ba3.photoeffect.xyz
127.0.0.1 f0.photoeffect.xyz
127.0.0.1 m11.slimedit.live
127.0.0.1 m12.slimedit.live
127.0.0.1 m13.slimedit.live
127.0.0.1 ba.beautycam.xyz
127.0.0.1 f6.beautycam.xyz
127.0.0.1 f8a.beautycam.xyz
127.0.0.1 ae.mveditor.xyz
127.0.0.1 b8c.mveditor.xyz
127.0.0.1 d3.mveditor.xyz
127.0.0.1 fa.gifcam.xyz
127.0.0.1 fb.gifcam.xyz
127.0.0.1 fl.gifcam.xyz
127.0.0.1 a.hdmodecam.live
127.0.0.1 b.hdmodecam.live
127.0.0.1 l.hdmodecam.live
127.0.0.1 vd.toobox.online
127.0.0.1 ve.toobox.online
127.0.0.1 vt.toobox.online
127.0.0.1 t1.twmills.xyz
127.0.0.1 t2.twmills.xyz
127.0.0.1 t3.twmills.xyz
127.0.0.1 api.odskguo.xyz
127.0.0.1 gbcf.odskguo.xyz
127.0.0.1 track.odskguo.xyz
#AhRat - see https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/
127.0.0.1 order.80876dd5.shop
#AhRat - b2c1517e4b0e0b3286a5cde06310b2277da7333f5ab3c2828f08272e3f85b260 - iRecorder - Screen Recorder_2.0_apkcombo.com.apk
127.0.0.1 config.unityads.unity3d.com
127.0.0.1 config.unityads.unitychina.cn
127.0.0.1 init.supersonicads.com
127.0.0.1 logs.supersonic.com
127.0.0.1 outcome-ssp.supersonicads.com
127.0.0.1 supersonicads.com
# uBlock telemetry endpoint - adblock-stats.js  inside a01ff7dac823f3666e7f38527739802e5a7ce3cb539b6a390ca99d423b5c9779
# data sent even if telemetry is disabled
127.0.0.1 ublocker-chrome.com
# Cytrox Predator domains, see - https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/
127.0.0.1 almal-news.com
127.0.0.1 chat-support.support
127.0.0.1 cibeg.online
127.0.0.1 notifications-sec.com
127.0.0.1 wa-info.com
127.0.0.1 whatssapp.co
127.0.0.1 wts-app.info
127.0.0.1 sec-flare.com
127.0.0.1 verifyurl.me
127.0.0.1 c.betly.me
127.0.0.1 betly.me
127.0.0.1 web.whatssapp.co
127.0.0.1 whatspp.wa-info.com
127.0.0.1 notifications.wa-info.com
127.0.0.1 t-bit.me
# PEACHPIT and BADBOX, extended infrastructure (expansion by @craiu), see - https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf
127.0.0.1 adbsc.flyermobi.com
127.0.0.1 adbsc.ikmytech.com
127.0.0.1 adbsdk.flyermobi.com
127.0.0.1 admin.dofunapps.com
127.0.0.1 ads.dofunapps.com
127.0.0.1 ads.flyermobi.com
127.0.0.1 apkcar.com
127.0.0.1 ats.flyermobi.com
127.0.0.1 ats.ikmytech.com
127.0.0.1 cbphe.com
127.0.0.1 cbpheback.com
127.0.0.1 dcylog.com
127.0.0.1 flyermobi.com
127.0.0.1 n1.flyermobi.com
127.0.0.1 sdk.dofunapps.com
127.0.0.1 www.apkcar.com
127.0.0.1 www.flyermobi.com
127.0.0.1 ycxrl.com
127.0.0.1 ymex.apkcar.com
127.0.0.1 ymlog.apkcar.com
127.0.0.1 ymsdk.apkcar.com