! Various telemetry endpoints (hosts and domains) used by mobile location tracking libraries ! Contact: mobiletrackers [at] protonmail.ch ! See: https://github.com/craiu/mobiletrackers/ ! Version 1.46 - 2024-02-07 ! ! xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk ||bin5y4muil.execute-api.us-east-1.amazonaws.com^ ! unknown, possibly xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk ||8balwalz1i.execute-api.us-east-2.amazonaws.com^ ! unknowns - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk ||api.smartechmetrics.com^ ||ck-running-apps-700f1.firebaseio.com^ ||pie.wirelessregistry.com^ ! unknowns - 010f7bb33f35cc650b7d6104b07102eb0dbaf79bcec1f1c6255fdcaffefe6b68 - com.davidsukhin.com.sukhin.snowdaycalculator.SnowDay ! URLs below stored as base64 and encrypted xor 0x09 -> ||udata.elephantdata.net^ ||atb.bearclod.com^ !pDNS data for the IPs associated with atb.bearclod.com -> ||alb.bearclod.com^ ||aly.bearclod.com^ ||alz.bearclod.com^ ||bivitis.bearclod.com^ ||brt.bearclod.com^ ||brul.bearclod.com^ ||hfstat.bearclod.com^ ||hkn01.bearclod.com^ ||ply.bearclod.com^ ||zoo.bearclod.com^ ! crashlytics - 4711634730d5367756bba4d776d846b01b8d0373336ea877a2c20b1da0a95477 - com.sgiggle.production_5.2.229629_1538560344.apk ||settings.crashlytics.com^ ||e.crashlytics.com^ ! starbolt - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now ||sdk.starbolt.io^ ||dmp.starbolt.io^ ||devices.starbolt.io^ ! sense360 ? - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now ||android-quinoa-config-prod.sense360eng.com^ ||survey-notify-event.sense360eng.com^ ||quinoa-personal-identify-prod.sense360eng.com^ ! appmeasurement - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now ||app-measurement.com^ ! newrelic - 2d4c9c037db43704f52968c9c363cbdf382cbb6a4b9143825f6e8b523b7c0c01 - com.crowdcompass.appmQaIam3e7C.apk ||mobile-collector.newrelic.com^ ||mobile-crash.newrelic.com^ ! Xiao mi related telemetry endpoints - see https://twitter.com/hookgab/status/1255859289945780225 ||data.mistat.india.xiaomi.com^ ||data.mistat.intl.xiaomi.com^ ||data.mistat.rus.xiaomi.com^ ||tracking.rus.miui.com^ ||tracking.intl.miui.com^ ||tracking.india.miui.com^ ! from https://twitter.com/cybergibbons/status/1256703550954057729 ||sa.api.intl.miui.com^ ||sa.api.india.miui.com^ ||sa.api.rus.miui.com^ ! new xmodesocial - from https://mobile.twitter.com/guardianiosapp/status/1262545645941874689 ||api.myendpoint.io^ ! aggressive advertisers - https://securelist.com/in-app-advertising-in-android/97065/ ! 1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd ! 134283b8efedc3d7244ba1b3a52e4a92 – com.xprodev.cutcam ! 3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner ||ti.domainforlite.com^ ||uu.domainforlite.com^ ! pDNS resolutions for uu.domainforlite.com, hosting on 47.252.80.195 ||adserver.hahamobi.com^ ||analytics.hahamobi.com^ ||analytics.salmonads.com^ ||api.salmonads.com^ ||dat.funheroic.com^ ||lg.luckyforworlds.com^ ||lg.requestads.com^ ||lg.smardroid.com^ ||log.adywind.com^ ||log.mobpowertech.com^ ||net.hahamobi.com^ ||net.salmonads.com^ ||us01.salmonads.com^ ! mobile ads, 2020-07-07, additions from https://securelist.com/pig-in-a-poke-smartphone-adware/97607/ ||www.ywupscsff.com^ ||www.mzeibiyr.com^ ||i151125.infourl.net^ ||www.jueoxdr.com^ ||ufz.doesxyz.com^ ||htapi.getapiv8.com^ ||stable.icecyber.org^ ||404mobi.com^ ||51ginkgo.com^ ||lbjg7.com^ ||bigdata800.com^ ||apd1.warnlog.com^ ||apd1.thunup.com^ ! mintegral, 2020-08-30, described at: https://snyk.io/research/sour-mint-malicious-sdk/ ||n.systemlog.me^ ||setting.rayjump.com^ ||analytics.rayjump.com^ ! from pDNS on n.systemlog.me -> ||net.cleverjp.com^ ! from fake NEXTALIVE (moonfair) application - https://www.zdnet.com/article/google-removes-android-app-that-was-used-to-spy-on-belarusian-protesters/ ||arcpi.nextialive.roimaster.site^ ||api.nextialive.roimaster.site^ ||ws.nextialive.roimaster.site^ ||nextialive.roimaster.site^ ||api.dev.chat.roimaster.site^ ||dev.chat.roimaster.site^ ! Joker download URLs / hosts as described by ZScaler - https://www.zscaler.com/blogs/security-research/joker-playing-hide-and-seek-google-play ||2j1i9uqw.oss-eu-central-1.aliyuncs.com^ ||blackdragon03.oss-ap-southeast-5.aliyuncs.com^ ||blackdragon.oss-ap-southeast-5.aliyuncs.com^ ||fgcxweasqw.oss-eu-central-1.aliyuncs.com^ ||jk8681oy.oss-eu-central-1.aliyuncs.com^ ||laodaoo.oss-ap-southeast-5.aliyuncs.com^ ||n47n.oss-ap-southeast-5.aliyuncs.com^ ||nineth03.oss-ap-southeast-5.aliyuncs.com^ ||proxy48.oss-eu-central-1.aliyuncs.com^ ||rinimae.oss-ap-southeast-5.aliyuncs.com^ ||sahar.oss-us-east-1.aliyuncs.com^ ! Cerberus C2s as described by BitDefender - https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/ ||2fapass.club^ ||androidradio.life^ ||downdating.club^ ||fitnessstrategy.xyz^ ||groovefitness.xyz^ ||loversfinder.xyz^ ||positivefitness.club^ ||safeyourdata.xyz^ ||sport4ever.club^ ||vipyoga.today^ ||weatherclub.club^ ||yoga4u.xyz^ ! unknown (?) telemetry receiving endpoints from: ! 066de93f181e9cbcb8611c675bbcb0fc - com.speedcamera.detector.radar.detector.direction ||yqchpwxvbg.execute-api.us-east-1.amazonaws.com^ ||pn8sm7rjuc.execute-api.us-east-1.amazonaws.com^ ! venntel / gravy analytics from https://github.com/sociam/PROWISH/blob/master/data/200appsdynamic.csv ! venntel / gravy analytics from https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf ! gravy analytics docs - http://developers.findgravy.com/products/gold-api/docs/index2.html ||api.findgravy.com^ ||nwzhmwux-api.findgravy.com^ ||zmq5ytc1-api.findgravy.com^ ||mtm1nwmx-api.findgravy.com^ ||gravyanalytics.com^ ! 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news ||ws.findgravy.com^ ||api.foozor.com^ ||testapi.foozor.com^ ! potentially related hosts on top of findgravy.com ||img01.findgravy.com^ ||img02.findgravy.com^ ||img03.findgravy.com^ ||img04.findgravy.com^ ! 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news ||pushapi.localytics.com^ ||analytics.localytics.com^ ||profile.localytics.com^ ! cuebiq location sdk from -> ! 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass ||in.cuebiq.com^ ||ingestion-api.kiwi.sand.cuebiq.ai^ ! nodle.io sdk from -> ! 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass ||dev.nodle.io^ ||us-central1-production-242307.cloudfunctions.net^ ! unknown sdk from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass possibly xmode related ! more crashlytics hosts from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass ||firebase-settings.crashlytics.com^ ||update.crashlytics.com^ ||reports.crashlytics.com^ ! 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass -> ||pixelprose.fr^ ! appsflyer from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp ||onelink.me^ ||onelnk.com^ ||app.aflink.com^ ||t.appsflyer.com^ ! other various telemetry endpoints (not necessarily location related) from from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp ||api.mixpanel.com^ ||decide.mixpanel.com^ ||cdn.optimizely.com^ ||logx.optimizely.com^ ||outline.truecaller.com^ ||api4.truecaller.com^ ||c.webengage.com^ ||p.webengage.com^ ||api.branch.io^ ||bnc.lt^ ||cdn.branch.io^ ||js.intercomcdn.com^ ||mobile-sdk-api.intercom.io^ ! Clevertap's wzrkt.com - also see https://twitter.com/fs0c131y/status/977267255309463554 ||wzrkt.com^ ||in.wzrkt.com^ ! subdomains from wzrkt.com - https://subdomainfinder.c99.nl/scans/2020-04-19/wzrkt.com ||api.wzrkt.com^ ||cb.wzrkt.com^ ||eu1-spiky.wzrkt.com^ ||eu1.alb.wzrkt.com^ ||eu1.wzrkt.com^ ||in.cb.wzrkt.com^ ||in1-spiky.wzrkt.com^ ||in1.alb.wzrkt.com^ ||in1.wzrkt.com^ ||sg1-spiky.wzrkt.com^ ||sg1.cb.wzrkt.com^ ||sg1.wzrkt.com^ ||sk1-spiky.wzrkt.com^ ||sk1-staging-1.wzrkt.com^ ||sk1-staging-10.wzrkt.com^ ||sk1-staging-2.wzrkt.com^ ||sk1-staging-3.wzrkt.com^ ||sk1-staging-4.wzrkt.com^ ||sk1-staging-5.wzrkt.com^ ||sk1-staging-6.wzrkt.com^ ||sk1-staging-7.wzrkt.com^ ||sk1-staging-8.wzrkt.com^ ||sk1-staging-9.wzrkt.com^ ||sk1.wzrkt.com^ ||us1-spiky.wzrkt.com^ ||us1.cb.wzrkt.com^ ||us1.wzrkt.com^ ! from cb9f6bb72a9766ba8c805c25769b47c46751052706bb41ed333db0b42cd586ff - com.byjus.thelearningapp ! also see https://digitalwatchdog.org/wp-content/uploads/2020/09/IDAC-Ed-Tech-Report_AppendixB_SensitiveData.pdf ||api.tllms.com^ ||marketing.tllms.com^ ! from 09f5bcadde3351eb3f509f5a471cbd7bb00536292da560bcf8ee59eb73116f00 - luo.speedometergps ! teragence -> ||control.teragence.net^ ||pfsense02-01.is-61194.teragence.net^ ! tutela -> ||upload-tutelawest.s3-accelerate.amazonaws.com^ ||reporting-util.tutelatechnologies.com^ ||hail-reporting.tutelatechnologies.com^ ||thepopulator.tutelatechnologies.com^ ! huq (also from 9c53a29a7e6a871f57b20097185a09afd2ff818455a42792d502f1eb8f2e3679) -> ||api.huqindustries.co.uk^ ||report.huqindustries.co.uk^ ||charles.huqindustries.co.uk^ ! IOCs from https://www.whiteops.com/blog/somewhere-over-the-rainbowmix ||api.pythonexample.com^ ! Predicio - from Funny Weather - pl.lawiusz.funnyweather.release.apk - 6d23151e69a57f67111d4969594316576577ae8a2015aff336ab6ef0fb2a07b4 ! see https://www.vice.com/en/article/epdpdm/ice-dhs-fbi-location-data-venntel-apps ||sdk.predic.io^ ! Kinesis endpoint from Funny Weather: ||kinesis.ap-southeast-1.amazonaws.com^ ! Complementics endpoints from 4ba50272718c95af20940912c7968410d797fbc07dcce2bad8183b94887b0ab4 ||sdk-as.complementics.com^ ||static.complementics.com^ ! Goontact from https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail ||redvios.com^ ||v-talk.top^ ||v-talk.vip^ ||ladysizi.top^ ||mmbox.top^ ||oncamera.top^ ||oncast.top^ ||mimibox.top^ ||voicecontrol.top^ ||signaltalk.top^ ||oncamera.vip^ ||dalbam.vip^ ||mimimsg.net^ ||signal-live.vip^ ||tele-gram.vip^ ||vtalk.vip^ ||a-video.vip^ ||livetalk.vip^ ||livetalk.top^ ||download-file.top^ ||grd77.cn^ ||mimicwt.net^ ||super-voice.vip^ ||mimi18s.top^ ||momomsg.top^ ||live-live.vip^ ||zerobyte.top^ ||zerobt.net^ ||w-video.vip^ ||ser-chat.com^ ||tocast.vip^ ||videosound.vip^ ||twi-tter.vip^ ||my-player.vip^ ||voicesupport.vip^ ! Joker from https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/ ||gd-1301476296.cos.na-toronto.myqcloud.com^ ! Related to: https://github.com/greatsuspender/thegreatsuspender/issues/1175 ! and: https://www.theregister.com/2021/01/07/great_suspender_malware/ ||cdn.owebanalytics.com^ ||static.trckingbyte.com^ ||static.trckpath.com^ ||static.privacytrck.com^ ||rctphvxwnjhx.pw^ ||hanstrackr.com^ ! Postlo spyware - https://twitter.com/ESETresearch/status/1374889857403785218?s=20 ||api.mainrepo.org^ ! EvilEye malware C2s mentioned at https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/ ||anayurt.net^ ||apkprue.info^ ||geo2ipapi.org^ ||gotossl.ml^ ||icptime.com^ ||istiqlaihaber.com^ ||misran.org^ ||newyorkingsite.com^ ||playgoog1e.com^ ||preservtyg.com^ ||sslportservices.com^ ||strunhvgpk.com^ ||uhtpuerdfbnm.com^ ||uyghur-news.com^ ||uyghur-soft-market.com^ ||uyghurhaber.com^ ||www.apkhl.pw^ ||apkhl.pw^ ||www.apkpure.bz^ ||apkpure.bz^ ! Xcodespy - https://labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/ ||www.liveupdate.cc^ ||www.appmarket.co^ ||www.recentnews.cc^ ||www.truckrental.cc^ ||www.everestnote.com^ ||www.alinbox.co^ ||www.suppro.co^ ! APKPure compromise by Triada malware - https://securelist.com/apkpure-android-app-store-infected/101845/ ||wcf.seven1029.com^ ||foodin.site^ ! Triada from https://securelist.com/triada-trojan-in-whatsapp-mod/103679/ ! Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de ||t1k22.c8xwor.com^ ||dgmxn.c8xwor.com^ ! Tutela technologies - f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc - org.speedspot.speedanalytics ||reporting.tutelatechnologies.com^ ||video-url.tutelatechnologies.com^ ||d3clybje3sun07.cloudfront.net^ ! speedspot - reports GPS location, other data - SpeedtestResultViews.java - inside f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc ||api.speedspot.org^ ||www.speedcheck.org^ ||net.etrality.com^ ||a2.etrality.com^ ||a1.etrality.com^ ||c4.etrality.com^ ||b3.etrality.com^ ||c3.etrality.com^ ||b2.etrality.com^ ||c2.etrality.com^ ||b1.etrality.com^ ||c1.etrality.com^ ||wpc.a3cd.edgecastcdn.net^ ||speedspot.speedspot.netdna-cdn.com^ ||www.speedspot5.com^ ||www.speedspot1.com^ ||www.speedspot7.com^ ||www.speedspot2.com^ ||www.speedspot3.com^ ||www.speedspot4.com^ ||www.speedspot6.com^ !Kochava endpoints, from rugabunda https://beta.pithus.org/report/844aa271ef47f7807ab3ccc63952e2215298701a6851857c22456317927f08fd ||co.akisinn.info^ ||co.dewrain.life^ ||co.vaicore.site^ ||co.vaicore.xyz^ ||int.akisinn.info^ ||int.akisinn.me^ ||int.akisinn.site^ ||int.dewrain.life^ ||int.dewrain.site^ ||int.dewrain.world^ ||int.vaicore.site^ ||int.vaicore.store^ ||int.vaicore.xyz^ ||int.vlancaa.site^ ||int.vlancaa.fun^ ||tok.vaicore.xyz^ ||vaicore.xyz^ ||web.ab-salute.com^ ||smart.link^ ! Adeco and inappertising - see https://www.occrp.org/en/investigations/how-a-russian-mobile-app-developer-recruited-phones-into-a-secret-ad-watching-robot-army ! Ultimate-Mortal-Kombat-3-v1-1.apk - https://www.virustotal.com/gui/file/dc078b004830ff03a27371bbc1c4a7b5882d5a0fb577a8477c09e8b3bfe0d6d3/details ||cfg.inappertising.org^ ||stats.inappertising.org^ ||app-stats.net2share.com^ ||s.net2share.com^ ||adeco.adecosystems.com^ ||dd.adecosystems.com^ ! GriftHorse Android from - https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/ ||hotofecro.com^ ||alaiblompass.com^ ||heartratteandpulsetracker.com^ ||icoonectedtrack.com^ ||ospocatracker.com^ ||laalaslirayeblection.com^ ||iblompass.com^ ||smalllcalllrecorder.com^ ||anguaganslatast.com^ ||oroscopemestry.com^ ||blompascator.com^ ||leunoon.com^ ||arindocation.com^ ||rooitor.com^ ||mychattranslator.club^ ||rulapptoplan.com^ ||rportranslator.com^ ||muslimasauda.com^ ||martpolocator.com^ ||wfupppx.com^ ||scandocnotes.com^ ||freecoupon21.com^ ||ponyvideochat.com^ ||ludamec.com^ ||chat-transa.com^ ||soulscanneryh.com^ ||d3cameraplan.com^ ||qibla-ultima.com^ ||zoofanimalm.com^ ||ciaolvc.com^ ||heartrateproxhealthmonitor.com^ ||bus-metrolis.com^ ||truck-rouddrive.com^ ||locatinfind.com^ ||camerdentifier.com^ ||locatorqiafindlocation.com^ ||cocachar.com^ ||squishyp.com^ ||antranslaro.com^ ||ftphotom.com^ ||lockul.com^ ||fingerprihanger.com^ ||locatorshar.com^ ||kfcwsa.com^ ||gpsphonuetrackerfamilylocator.com^ ||cailrecorder.com^ ||tqiblacompas.com^ ||kvprojectop.com^ ||pikchoeditor.com^ ||streetprocarsracingss.com^ ||nemaeovies.com^ ||aecodero.com^ ||ivlewepapallrbkragonucd.com^ ||heartrateandmealtracker.com^ ||phonecontrolblockspamcalls.com^ ||etcotater.com^ ||canopoument.com^ ||locxfindxlocx.com^ ||mnesytrlatr.com^ ||huntcontactz.com^ ||intelgenttran.com^ ||facenalyer.com^ ||fnbdeiegpslocoiatntcrkaer.com^ ||trcalluecodr.com^ ||qrreaderpro.com^ ||itranstxtvoicepht.com^ ||qiberiblaon.com^ ||iconylc.com^ ||lsepeanitor.com^ ||fxkwboard.com^ ||dehcoveanager.com^ ||tickeakhatsp.com^ ||phoneboster.com^ ||phonfinbyclap.com^ ||aralaper.com^ ||qibdirctiowa.com^ ||islsrickers.com^ ||feartranslator.com^ ||vpnzfep.com^ ||snaplens-pt.com^ ||qiblassirection.com^ ||easyvshow.com^ ||qibla-quran.com^ ||qrcodesscan.com^ ||hoolives.com^ ||burivingsim.com^ ||coupongiftsnstashop.com^ ||fingdefend.com^ ||projectormp.com^ ||forzahmobile.com^ ||artateulseonitor.com^ ||sslasmr.com^ ||bagscaner.com^ ||phonecallerscreen.com^ ||datingappswmt.com^ ||lifeel-scan.com^ ||colorizerset.club^ ||expresscreditcash.com^ ||ccallerx.com^ ||transatitonneap.com^ ||lasouncherio.com^ ||claptfindzmphone.com^ ||mirrorscreencasttvv.com^ ||ircleocatinder.com^ ||mobleingsder.com^ ||proocallerr.com^ ||frecalwolwid.com^ ||allelpcoonmber.com^ ||faspulhearratmoni.com^ ||fincconttact.com^ ||uncherdroid.com^ ||iveilembercker.com^ ||lepamcker.com^ ||lockaaocker.com^ ||onarchbylap.com^ ||secontranslatpr.com^ ||tgscontakcs.com^ ||callwhozdine.com^ ||perargero.com^ ||mylocatorplus.club^ ||comclap.club^ ||callerids.club^ ||instantspeechtranslation.club^ ||photoeditorbest.club^ ||piction.club^ ||driveriders.club^ ||skycoachgg.club^ ||ffitnesstrainer.club^ ||racerscardriver.club^ ||fitnessdias.club^ ||meetingonlinechat.club^ ||fitnessgymup.club^ ||editsbackground.club^ ||cutcutpro.club^ ||drivingexpiriencesimulator.club^ ||clipbuddy.club^ ||horoscopefortune.club^ ||ludospeakeasy.club^ ||fitnesspoint.club^ ||wallvoluminousfourk.club^ ||cvectorart.club^ ||ludospeakv2.club^ ||callrecordpro.club^ ||carracer.club^ ||slimesimulator.club^ ||offroaderssurvive.club^ ||lending-online.club^ ||controlcenterios.club^ ||streetracingg.club^ ||checkheart.club^ ||keyboardthemes.club^ ||whatsmesticker.club^ ||batterychargingeffect.club^ ||luxoreditor.club^ ||lionflix.club^ ||amazingvideoeditor.club^ ||zodiachand.club^ ||zeusalmighty.club^ ||pharaohsadventure.club^ ||batterylivewallpaperhd.club^ ||comqubla.club^ ||safelock.club^ ||heartrhythm.club^ ||easybassbooster.club^ ||comphotolab.club^ ! GriftHorse Second-Stage Domain ||678ikmbtui.com^ ! GriftHorse Third-Stage Domains ||safe-link.mobi^ ||at.gogameportal.club^ ||activate-your-account-now.com^ ||continue-to-get-content-now.com^ ||your-access-here.com^ ||app.buenosocial.club^ ||join.crazymob.co^ ||vl.denrok.space^ ||www.timpromos.com.br^ ||campaignmanager.fun.moobig.com^ ||get-your-access-now.com^ ||v.mobzones.com^ ||mt2-sdp4.mt-2.co^ ||go.whatabookmark.com^ ||lp.shoopadoo.com^ ||es.mobiplus.me^ ||af.to.123games.club^ ||be.startdownload.mobi^ ||za.startdownload.mobi^ ||n.appspool.net^ ||wap.trend-tech.net^ ||fr.chillaxgames.mobi^ ||tracking.hexilo.com^ ! Suspected GriftHorse from pDNS 185.255.179.131 / 185.255.179.132 -> ||1g7kvrv.xyz^ ||2fnoqifq.com^ ||2g8cvdii.com^ ||2oafxcbq.xyz^ ||5rfvbnji9.com^ ||7lc6jc.xyz^ ||7nvdx0.xyz^ ||8sghnct.xyz^ ||berf4o.xyz^ ||blfnf9y.com^ ||brlyp4pg.com^ ||chulahfi.xyz^ ||cmvkvncsse.xyz^ ||cophico.pw^ ||cwkjravqsj.xyz^ ||dhfvbsihjf.com^ ||dsfhskln.com^ ||eksndtpf.org^ ||emraiyz.xyz^ ||eok8wd5v.net^ ||erbfzk.com^ ||ersokbkj.com^ ||fdfjhks.com^ ||ffnbafc.xyz^ ||hrvxkxq.xyz^ ||il0baz.com^ ||jduzuyd.com^ ||jsdfbhsa.com^ ||jydfoafcaf.xyz^ ||kgr0aixa.xyz^ ||krkmyvlmdg.xyz^ ||lgdzbch.com^ ||liahkhe.xyz^ ||lljmbbk.com^ ||lmbbnrhiuj.xyz^ ||lwvurdsjk.org^ ||lxghjoxzns.com^ ||mnfbodivbv.com^ ||mt5vsuf1.net^ ||nfrmg1y.xyz^ ||nwluoodzct.xyz^ ||ocheyhv.xyz^ ||okjojihgv.com^ ||olimob.net^ ||ortn13der.xyz^ ||poiuwhejgr.com^ ||pwtgnp.pw^ ||qtwjhuj.com^ ||rfjdhxbz.com^ ||sjkfsdkg.com^ ||trfvbnji7.com^ ||urtyhfds.com^ ||v9czaci.xyz^ ||vortnomade.net^ ||w9x7itu.xyz^ ||www.mnfbodivbv.com^ ||www.okjojihgv.com^ ||y0vvbm.xyz^ ||yq0z3d.xyz^ ! additional suspected GriftHorse from pDNS - 2021-10-21 ||down.tracksz.co^ ||go.creativemobilemarketing.com^ ||go.fastfinderworld.com^ ||go.grandprizewinners.com^ ||go.interlinkinternet.com^ ||go.protectyoursearch.com^ ||go.trackitalltheway.com^ ||go.trackiteazy.com^ ||go.watchwiser.com^ ! TangleBot domains, research based on - https://www.cloudmark.com/en/blog/mobile/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19 ||covid19-ca.link^ ||hydro-ca.link^ ||sock.godforgiveuss.live^ ||sock.hhhhrkanandda.xyz^ ||sock.nmnmnmfsamsfan.xyz^ ||socktest.ankatras.xyz^ ||vaccine-appointment.link^ ! Donot / Origami Elephant / APT-C-35 IOCs from Amnesty - https://github.com/AmnestyTech/investigations/blob/master/2021-10-07_donot/domains.txt ||bulk.fun^ ||apkv5.ppadaolnwod.xyz^ ||apkv6.endurecif.top^ ||getelements.xyz^ ||fiddaz.club^ ||lif0.top^ ||fif0.top^ ||chipp.pw^ ||mimestyle.xyz^ ||mangasiso.top^ ||and.retardrattle.website^ ||help.domainoutlet.site^ ||whynotworkonit.top^ ||spectronet.pw^ ||full.naturalpercent.life^ ||mimeversion.top^ ||rythemsjoy.club^ ||lowlight.xyz^ ||inapturst.top^ ||auth.forwardtoken.website^ ||accounts.loginshare.info^ ||seahome.top^ ||imageview.xyz^ ||flickry.xyz^ ||apkv2.qwertykeypad.host^ ||userauthen.pw^ ||join.officeframe.work^ ||zumba.tampotrust.agency^ ||image.loadingmessage.info^ ! AbstractEmu hosts from https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign ||jobs.illaewinstralinc.com^ ||outline.abunddhighett.com^ ||tags.illaryboucnc.com^ ||cloud.nathompsstra.com^ ||store.dianmpsoathom.com^ ||fluency.ryboucoathom.com^ ||csa.naaronegya.com^ ||tips.ghetaldhighe.com^ ||color.joarteauxelb.com^ ! Cynos hosts from https://vms.drweb.com/virus/?i=24972842 - 46bc4c6c87fcb519a8f315c0010b949d682ac3abee62b33bd624b251a3521b19 ||dns1.sdkbalance.com^ ||dns2.sdkbalance.com^ ||dns3.sdkbalance.com^ ||sdk.sdkbalance.com^ ||mg.sdkbalance.com^ ! PhoneSpy hosts from https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/ and pDNS related ||acd.kcpro.ga^ ||aki.kcpro.ga^ ||arr.kcpro.tk^ ||b.freespy1.ml^ ||b.freespy1.tk^ ||c.freespy1.ml^ ||c.freespy1.tk^ ||cef.kcpro.tk^ ||cfs.kcpro.ga^ ||d.freespy1.ml^ ||d.freespy1.tk^ ||dto.kcpro.ga^ ||e.freespy1.ml^ ||ejn.kcpro.ga^ ||ern.kcpro.ga^ ||f.freespy1.ml^ ||f.freespy1.tk^ ||freespy.cf^ ||g.freespy1.ml^ ||g.freespy1.tk^ ||h.freespy1.ml^ ||h.freespy1.tk^ ||hxg.kcpro.ga^ ||i.freespy1.ml^ ||i.freespy1.tk^ ||j.freespy1.ml^ ||j.freespy1.tk^ ||k.freespy1.ml^ ||k.freespy1.tk^ ||koreavopi.kro.kr^ ||l.freespy1.ml^ ||l.freespy1.tk^ ||m.freespy1.ml^ ||m.freespy1.tk^ ||mda.kcpro.ga^ ||mgo.kcpro.ga^ ||n.freespy1.ml^ ||n.freespy1.tk^ ||o.freespy1.ml^ ||o.freespy1.tk^ ||oso.kcpro.ga^ ||p.freespy1.ml^ ||p.freespy1.tk^ ||pql.kcpro.ga^ ||wvv.kcpro.ga^ ||ydc.kcpro.ga^ ||zqn.kcpro.ga^ ||zsx.kcpro.ga^ ! https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/ ||mobile.measurelib.com^ ||measurelib.com^ ||ami0wned.com^ ||amiowned.com^ ||arduous.work^ ||attorney-client-privileged.com^ ||attorney-client.org^ ||attorneyclientprivileged.com^ ||beachhackerspace.com^ ||cloudwatchtower.com^ ||consilio.lawyer^ ||consiliolaw.com^ ||darknetinfo.com^ ||dataillusionist.com^ ||easycalea.com^ ||extremeexploits.com^ ||extremeexploits.org^ ||fraudpreventionsys.com^ ||gleancorp.com^ ||idme.org^ ||indelibleblue.net^ ||indelibleblueinc.net^ ||internetcartography.com^ ||internetcartography.net^ ||internetcartography.org^ ||littoralventures.com^ ||marketinfo.tips^ ||measurementsys.com^ ||mxout.net^ ||myaddress.today^ ||ndagri.com^ ||networkcartography.com^ ||networkcartography.net^ ||networkcartography.org^ ||newdulcina.com^ ||opensourcecontext.com^ ||oppleman.org^ ||oscontext.com^ ||pathanalyzer.com^ ||pathanalyzerpro.com^ ||precise.fit^ ||pwhois.net^ ||pwhois.org^ ||quietquell.com^ ||trustcor.co^ ||vbchs.com^ ||vbchs.org^ ||vbhacker.space^ ||vbhackerspace.com^ ||vbhackerspace.org^ ||vostrom.ventures^ ||whoisanalyzer.com^ ||whoisanalyzerpro.com^ ||mobile.fra2.measurelib.com^ ||mobile.ams2.measurelib.com^ ! Telematicsdirect - from al-moazin-lite-prayer-times.apk - dcb56dc7b817dd65a1f5ebfe81cf36b85ad523990b8e4f69a4a1654d1cc8277c ||nav.telematicsdirect.com^ ! SafeGraph / OpenLocate ! https://github.com/pablobaxter/openlocate-android ! https://www.vice.com/en/article/m7vymn/cdc-tracked-phones-location-data-curfews ||api.safegraph.com^ ! daily-scratchers.apk / 22a80df1084af11129baef89bce0bafad0aaae41e58dc2bb6e7c27fd3f4bac49 / me.actv8.tvwallet ||actv8technologies.com^ ||api-production-v4.actv8technologies.com^ ||sonar.actv8technologies.com^ ! Joker - RelaxingMusicSootheYourBody_signed.apk - 14c35d1158cc47cfb605fdd686603b0929d38c046dce03fd6033fb8a31433798 ||novasdk.oss-cn-beijing.aliyuncs.com^ ! Joker - https://github.com/DoctorWebLtd/malware-iocs/tree/master/Android.Joker ! Note: domain offline since Feb 2022 ||ad.mobnv.com^ ! pDNS for 161.117.252.102 ||app.mobnv.com^ ||aff.fortunnecat.com^ ! WhatsApp mod distributed through legitimate apps: ! https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/?utm_source=everyonesocial&utm_medium=partner&utm_campaign=us_NA-newsletter_en0177&utm_content=sm-post&utm_term=us_everyonesocial_organic_an17748oyfteksz&es_id=cfde1a3994 ||wa.zcnewy.com^ ||av2wg.rt14v.com^ ||g1790.rt14v.com^ ! xnspy - 578a880848bc52bed83b2be817a148187fde129cc8ad50db49630c0ebf59102c - xnspyappv2.apk ! https://techcrunch.com/2022/12/12/xnspy-stalkerware-iphone-android/ ||alert.xiz4me.com^ ||asset.xiz4me.com^ ||sync.xiz4me.com^ ||xiz4me.com^ ||mydwnd.com^ ||brilliant-flame-585.firebaseio.com^ ||brilliant-flame-585.appspot.com^ ! xnspy - 7e3930771370ed111cdb83397a04fa7ee89f1ea35b7f5306bb1522b82bc6d38d ||sync.bk128.com^ ||alert.bk128.com^ ||asset.bk128.com^ ||bk128.com^ ! xnspy - 9114e561c42ea19b183ef5d8a36e743f2b873874e43d805b11e3753035c7900d ||true-truck-86810.firebaseio.com^ ||true-truck-86810.appspot.com^ ! Fleckpe - from https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/ ||ac.iprocam.xyz^ ||ad.iprocam.xyz^ ||ap.iprocam.xyz^ ||b7.photoeffect.xyz^ ||ba3.photoeffect.xyz^ ||f0.photoeffect.xyz^ ||m11.slimedit.live^ ||m12.slimedit.live^ ||m13.slimedit.live^ ||ba.beautycam.xyz^ ||f6.beautycam.xyz^ ||f8a.beautycam.xyz^ ||ae.mveditor.xyz^ ||b8c.mveditor.xyz^ ||d3.mveditor.xyz^ ||fa.gifcam.xyz^ ||fb.gifcam.xyz^ ||fl.gifcam.xyz^ ||a.hdmodecam.live^ ||b.hdmodecam.live^ ||l.hdmodecam.live^ ||vd.toobox.online^ ||ve.toobox.online^ ||vt.toobox.online^ ||t1.twmills.xyz^ ||t2.twmills.xyz^ ||t3.twmills.xyz^ ||api.odskguo.xyz^ ||gbcf.odskguo.xyz^ ||track.odskguo.xyz^ !AhRat - see https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/ ||order.80876dd5.shop^ !AhRat - b2c1517e4b0e0b3286a5cde06310b2277da7333f5ab3c2828f08272e3f85b260 - iRecorder - Screen Recorder_2.0_apkcombo.com.apk ||config.unityads.unity3d.com^ ||config.unityads.unitychina.cn^ ||init.supersonicads.com^ ||logs.supersonic.com^ ||outcome-ssp.supersonicads.com^ ||supersonicads.com^ ! uBlock telemetry endpoint - adblock-stats.js inside a01ff7dac823f3666e7f38527739802e5a7ce3cb539b6a390ca99d423b5c9779 ! data sent even if telemetry is disabled ||ublocker-chrome.com^ ! Cytrox Predator domains, see - https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/ ||almal-news.com^ ||chat-support.support^ ||cibeg.online^ ||notifications-sec.com^ ||wa-info.com^ ||whatssapp.co^ ||wts-app.info^ ||sec-flare.com^ ||verifyurl.me^ ||c.betly.me^ ||betly.me^ ||web.whatssapp.co^ ||whatspp.wa-info.com^ ||notifications.wa-info.com^ ||t-bit.me^ ! PEACHPIT and BADBOX, extended infrastructure (expansion by @craiu), see - https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf ||adbsc.flyermobi.com^ ||adbsc.ikmytech.com^ ||adbsdk.flyermobi.com^ ||admin.dofunapps.com^ ||ads.dofunapps.com^ ||ads.flyermobi.com^ ||apkcar.com^ ||ats.flyermobi.com^ ||ats.ikmytech.com^ ||cbphe.com^ ||cbpheback.com^ ||dcylog.com^ ||flyermobi.com^ ||n1.flyermobi.com^ ||sdk.dofunapps.com^ ||www.apkcar.com^ ||www.flyermobi.com^ ||ycxrl.com^ ||ymex.apkcar.com^ ||ymlog.apkcar.com^ ||ymsdk.apkcar.com^ ! Unityads from https://github.com/Unity-Technologies/unity-ads-ios ||scar.unityads.unity3d.com^ ||webviewbridge.unityads.unity3d.com^ ||unityads.unity3d.com^ ||gateway.unityads.unity3d.com^