list.txt

# Various telemetry endpoints (hosts and domains) used by mobile location tracking libraries
# Contact: mobiletrackers [at] protonmail.ch
# See: https://github.com/craiu/mobiletrackers/
# Version 1.46 - 2024-02-07
#

# xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
bin5y4muil.execute-api.us-east-1.amazonaws.com
# unknown, possibly xmodesocial - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
8balwalz1i.execute-api.us-east-2.amazonaws.com

# unknowns - e65912e897bd9e6f41865a8ab0eb9b15fef4bc0af68eb8217f5360fb1c53f423 - 13.1Trainer_95.19-.apk
api.smartechmetrics.com
ck-running-apps-700f1.firebaseio.com
pie.wirelessregistry.com

# unknowns - 010f7bb33f35cc650b7d6104b07102eb0dbaf79bcec1f1c6255fdcaffefe6b68 - com.davidsukhin.com.sukhin.snowdaycalculator.SnowDay
# URLs below stored as base64 and encrypted xor 0x09 ->
udata.elephantdata.net
atb.bearclod.com
#pDNS data for the IPs associated with atb.bearclod.com ->
alb.bearclod.com
aly.bearclod.com
alz.bearclod.com
atb.bearclod.com
bivitis.bearclod.com
brt.bearclod.com
brul.bearclod.com
hfstat.bearclod.com
hkn01.bearclod.com
ply.bearclod.com
zoo.bearclod.com

# crashlytics - 4711634730d5367756bba4d776d846b01b8d0373336ea877a2c20b1da0a95477 - com.sgiggle.production_5.2.229629_1538560344.apk
settings.crashlytics.com
e.crashlytics.com

# starbolt - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
sdk.starbolt.io
dmp.starbolt.io
devices.starbolt.io

# sense360 ? - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
android-quinoa-config-prod.sense360eng.com
survey-notify-event.sense360eng.com
quinoa-personal-identify-prod.sense360eng.com

# appmeasurement - cb9b9de8616e55849b9140e7915b2ba237818625828acfa55b59f5268f589e91 - com.kellytechnology.Forecast_Now
app-measurement.com

# newrelic - 2d4c9c037db43704f52968c9c363cbdf382cbb6a4b9143825f6e8b523b7c0c01 - com.crowdcompass.appmQaIam3e7C.apk
mobile-collector.newrelic.com
mobile-crash.newrelic.com

# Xiao mi related telemetry endpoints - see https://twitter.com/hookgab/status/1255859289945780225
data.mistat.india.xiaomi.com
data.mistat.intl.xiaomi.com
data.mistat.rus.xiaomi.com
tracking.rus.miui.com
tracking.intl.miui.com
tracking.india.miui.com
# from https://twitter.com/cybergibbons/status/1256703550954057729
sa.api.intl.miui.com
sa.api.india.miui.com
sa.api.rus.miui.com

# new xmodesocial - from https://mobile.twitter.com/guardianiosapp/status/1262545645941874689
api.myendpoint.io

# aggressive advertisers - https://securelist.com/in-app-advertising-in-android/97065/
# 1eeda6306a2b12f78902a1bc0b7a7961 – com.android.ggtoolkit_tw_xd
# 134283b8efedc3d7244ba1b3a52e4a92  – com.xprodev.cutcam
# 3aba867b8b91c17531e58a9054657e10 – com.powerd.cleaner
ti.domainforlite.com
uu.domainforlite.com
# pDNS resolutions for uu.domainforlite.com, hosting on 47.252.80.195
adserver.hahamobi.com
analytics.hahamobi.com
analytics.salmonads.com
api.salmonads.com
dat.funheroic.com
lg.luckyforworlds.com
lg.requestads.com
lg.smardroid.com
log.adywind.com
log.mobpowertech.com
net.hahamobi.com
net.salmonads.com
us01.salmonads.com
uu.domainforlite.com

# mobile ads, 2020-07-07, additions from https://securelist.com/pig-in-a-poke-smartphone-adware/97607/
www.ywupscsff.com
www.mzeibiyr.com
i151125.infourl.net
www.jueoxdr.com
ufz.doesxyz.com
htapi.getapiv8.com
stable.icecyber.org
404mobi.com
51ginkgo.com
lbjg7.com
bigdata800.com
apd1.warnlog.com
apd1.thunup.com

# mintegral, 2020-08-30, described at: https://snyk.io/research/sour-mint-malicious-sdk/
n.systemlog.me
setting.rayjump.com
analytics.rayjump.com
# from pDNS on n.systemlog.me ->
net.cleverjp.com

# from fake NEXTALIVE (moonfair) application - https://www.zdnet.com/article/google-removes-android-app-that-was-used-to-spy-on-belarusian-protesters/
arcpi.nextialive.roimaster.site
api.nextialive.roimaster.site
ws.nextialive.roimaster.site
nextialive.roimaster.site
api.dev.chat.roimaster.site
dev.chat.roimaster.site

# Joker download URLs / hosts as described by ZScaler - https://www.zscaler.com/blogs/security-research/joker-playing-hide-and-seek-google-play
2j1i9uqw.oss-eu-central-1.aliyuncs.com
blackdragon03.oss-ap-southeast-5.aliyuncs.com
blackdragon.oss-ap-southeast-5.aliyuncs.com
fgcxweasqw.oss-eu-central-1.aliyuncs.com
jk8681oy.oss-eu-central-1.aliyuncs.com
laodaoo.oss-ap-southeast-5.aliyuncs.com
laodaoo.oss-ap-southeast-5.aliyuncs.com
n47n.oss-ap-southeast-5.aliyuncs.com
nineth03.oss-ap-southeast-5.aliyuncs.com
proxy48.oss-eu-central-1.aliyuncs.com
rinimae.oss-ap-southeast-5.aliyuncs.com
sahar.oss-us-east-1.aliyuncs.com

# Cerberus C2s as described by BitDefender - https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/
2fapass.club
androidradio.life
downdating.club
fitnessstrategy.xyz
groovefitness.xyz
loversfinder.xyz
positivefitness.club
safeyourdata.xyz
sport4ever.club
vipyoga.today
weatherclub.club
yoga4u.xyz

# unknown (?) telemetry receiving endpoints from:
# 066de93f181e9cbcb8611c675bbcb0fc - com.speedcamera.detector.radar.detector.direction
yqchpwxvbg.execute-api.us-east-1.amazonaws.com
pn8sm7rjuc.execute-api.us-east-1.amazonaws.com

# venntel / gravy analytics from https://github.com/sociam/PROWISH/blob/master/data/200appsdynamic.csv
# venntel / gravy analytics from https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf
# gravy analytics docs - http://developers.findgravy.com/products/gold-api/docs/index2.html
api.findgravy.com
nwzhmwux-api.findgravy.com
zmq5ytc1-api.findgravy.com
mtm1nwmx-api.findgravy.com
gravyanalytics.com
# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
ws.findgravy.com
api.foozor.com
testapi.foozor.com
# potentially related hosts on top of findgravy.com
img01.findgravy.com
img02.findgravy.com
img03.findgravy.com
img04.findgravy.com

# 51ec8159efb88a852005b94f0fd9891016b75f4b40d24608ee8a5c8d34826a3e - com.usatoday.android.news
pushapi.localytics.com
analytics.localytics.com
profile.localytics.com

# cuebiq location sdk from ->
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
in.cuebiq.com
ingestion-api.kiwi.sand.cuebiq.ai

# nodle.io sdk from ->
# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
dev.nodle.io
us-central1-production-242307.cloudfunctions.net

# unknown sdk from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass possibly xmode related
api.smartechmetrics.com

# more crashlytics hosts from 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass
firebase-settings.crashlytics.com
update.crashlytics.com
reports.crashlytics.com

# 2dc269d7237c97edefa653a379eca897a23f46adcf14705801041817bf5d1e7e - net.androgames.compass ->
pixelprose.fr

# appsflyer from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
onelink.me
onelnk.com
app.aflink.com
t.appsflyer.com

# other various telemetry endpoints (not necessarily location related) from from b8ce13566a048108b4321f5277e4d95a5d5743da4f082fbca30074439acf5a15 - com.unacademyapp
api.mixpanel.com
decide.mixpanel.com
cdn.optimizely.com
logx.optimizely.com
outline.truecaller.com
api4.truecaller.com
c.webengage.com
p.webengage.com
api.branch.io
bnc.lt
cdn.branch.io
e.crashlytics.com
settings.crashlytics.com
js.intercomcdn.com
mobile-sdk-api.intercom.io

# Clevertap's wzrkt.com - also see https://twitter.com/fs0c131y/status/977267255309463554
wzrkt.com
in.wzrkt.com
# subdomains from wzrkt.com - https://subdomainfinder.c99.nl/scans/2020-04-19/wzrkt.com
api.wzrkt.com
cb.wzrkt.com
eu1-spiky.wzrkt.com
eu1.alb.wzrkt.com
eu1.wzrkt.com
in.cb.wzrkt.com
in1-spiky.wzrkt.com
in1.alb.wzrkt.com
in1.wzrkt.com
sg1-spiky.wzrkt.com
sg1.cb.wzrkt.com
sg1.wzrkt.com
sk1-spiky.wzrkt.com
sk1-staging-1.wzrkt.com
sk1-staging-10.wzrkt.com
sk1-staging-2.wzrkt.com
sk1-staging-3.wzrkt.com
sk1-staging-4.wzrkt.com
sk1-staging-5.wzrkt.com
sk1-staging-6.wzrkt.com
sk1-staging-7.wzrkt.com
sk1-staging-8.wzrkt.com
sk1-staging-9.wzrkt.com
sk1.wzrkt.com
us1-spiky.wzrkt.com
us1.cb.wzrkt.com
us1.wzrkt.com

# from cb9f6bb72a9766ba8c805c25769b47c46751052706bb41ed333db0b42cd586ff - 	com.byjus.thelearningapp
# also see https://digitalwatchdog.org/wp-content/uploads/2020/09/IDAC-Ed-Tech-Report_AppendixB_SensitiveData.pdf
api.tllms.com
marketing.tllms.com

# from 09f5bcadde3351eb3f509f5a471cbd7bb00536292da560bcf8ee59eb73116f00 - luo.speedometergps
# teragence ->
control.teragence.net
pfsense02-01.is-61194.teragence.net
# tutela ->
upload-tutelawest.s3-accelerate.amazonaws.com
reporting-util.tutelatechnologies.com
hail-reporting.tutelatechnologies.com
thepopulator.tutelatechnologies.com
# huq (also from 9c53a29a7e6a871f57b20097185a09afd2ff818455a42792d502f1eb8f2e3679) ->
api.huqindustries.co.uk
report.huqindustries.co.uk
charles.huqindustries.co.uk

# IOCs from https://www.whiteops.com/blog/somewhere-over-the-rainbowmix
api.pythonexample.com

# Predicio - from Funny Weather - pl.lawiusz.funnyweather.release.apk - 6d23151e69a57f67111d4969594316576577ae8a2015aff336ab6ef0fb2a07b4
# see https://www.vice.com/en/article/epdpdm/ice-dhs-fbi-location-data-venntel-apps
sdk.predic.io

# Kinesis endpoint from Funny Weather:
kinesis.ap-southeast-1.amazonaws.com

# Complementics endpoints from 4ba50272718c95af20940912c7968410d797fbc07dcce2bad8183b94887b0ab4
sdk-as.complementics.com
static.complementics.com

# Goontact from https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail
redvios.com
v-talk.top
v-talk.vip
ladysizi.top
mmbox.top
oncamera.top
oncast.top
mimibox.top
voicecontrol.top
signaltalk.top
oncamera.vip
dalbam.vip
mimimsg.net
signal-live.vip
tele-gram.vip
vtalk.vip
a-video.vip
livetalk.vip
livetalk.top
download-file.top
grd77.cn
mimicwt.net
super-voice.vip
mimi18s.top
momomsg.top
live-live.vip
zerobyte.top
zerobt.net
w-video.vip
ser-chat.com
tocast.vip
videosound.vip
twi-tter.vip
my-player.vip
voicesupport.vip

# Joker from https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/
gd-1301476296.cos.na-toronto.myqcloud.com
# Related to: https://github.com/greatsuspender/thegreatsuspender/issues/1175
# and: https://www.theregister.com/2021/01/07/great_suspender_malware/
cdn.owebanalytics.com
static.trckingbyte.com
static.trckpath.com
static.privacytrck.com
rctphvxwnjhx.pw
hanstrackr.com

# Postlo spyware - https://twitter.com/ESETresearch/status/1374889857403785218?s=20
api.mainrepo.org

# EvilEye malware C2s mentioned at https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/
anayurt.net
apkprue.info
geo2ipapi.org
gotossl.ml
icptime.com
istiqlaihaber.com
misran.org
newyorkingsite.com
playgoog1e.com
preservtyg.com
sslportservices.com
strunhvgpk.com
uhtpuerdfbnm.com
uyghur-news.com
uyghur-soft-market.com
uyghurhaber.com
www.apkhl.pw
apkhl.pw
www.apkpure.bz
apkpure.bz

# Xcodespy - https://labs.sentinelone.com/new-macos-malware-xcodespy-targets-xcode-developers-with-eggshell-backdoor/
www.liveupdate.cc
www.appmarket.co
www.recentnews.cc
www.truckrental.cc
www.everestnote.com
www.alinbox.co
www.suppro.co

# APKPure compromise by Triada malware - https://securelist.com/apkpure-android-app-store-infected/101845/
wcf.seven1029.com
foodin.site

# Triada from https://securelist.com/triada-trojan-in-whatsapp-mod/103679/
# Trojan.AndroidOS.Triada.ef b1aa5d5bf39fee0b1e201d835e4dc8de
t1k22.c8xwor.com
dgmxn.c8xwor.com

# Tutela technologies - f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc - org.speedspot.speedanalytics
upload-tutelawest.s3-accelerate.amazonaws.com
reporting.tutelatechnologies.com
video-url.tutelatechnologies.com
hail-reporting.tutelatechnologies.com
d3clybje3sun07.cloudfront.net

# speedspot - reports GPS location, other data - SpeedtestResultViews.java - inside f9db002cbc6e5b6de37fb15aefaaf3934a700a7a2f9d5949f3cd6bb8c7dfc1bc
api.speedspot.org
www.speedcheck.org
net.etrality.com
a2.etrality.com
a1.etrality.com
c4.etrality.com
b3.etrality.com
c3.etrality.com
b2.etrality.com
c2.etrality.com
b1.etrality.com
c1.etrality.com
wpc.A3CD.edgecastcdn.net
speedspot.speedspot.netdna-cdn.com
www.speedspot5.com
www.speedspot1.com
www.speedspot7.com
www.speedspot2.com
www.speedspot3.com
www.speedspot4.com
www.speedspot6.com

#Kochava endpoints, from rugabunda https://beta.pithus.org/report/844aa271ef47f7807ab3ccc63952e2215298701a6851857c22456317927f08fd
co.akisinn.info
co.dewrain.life
co.vaicore.site
co.vaicore.xyz
int.akisinn.info
int.akisinn.me
int.akisinn.site
int.dewrain.life
int.dewrain.site
int.dewrain.world
int.vaicore.site
int.vaicore.store
int.vaicore.xyz
int.vlancaa.site
int.vlancaa.fun
tok.vaicore.xyz
vaicore.xyz
web.ab-salute.com
smart.link

# Adeco and inappertising - see https://www.occrp.org/en/investigations/how-a-russian-mobile-app-developer-recruited-phones-into-a-secret-ad-watching-robot-army
# Ultimate-Mortal-Kombat-3-v1-1.apk - https://www.virustotal.com/gui/file/dc078b004830ff03a27371bbc1c4a7b5882d5a0fb577a8477c09e8b3bfe0d6d3/details
cfg.inappertising.org
stats.inappertising.org
app-stats.net2share.com
s.net2share.com
adeco.adecosystems.com
dd.adecosystems.com

# GriftHorse Android from - https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/
hotofecro.com
alaiblompass.com
heartratteandpulsetracker.com
icoonectedtrack.com
ospocatracker.com
laalaslirayeblection.com
iblompass.com
smalllcalllrecorder.com
anguaganslatast.com
oroscopemestry.com
blompascator.com
leunoon.com
arindocation.com
rooitor.com
mychattranslator.club
rulapptoplan.com
rportranslator.com
muslimasauda.com
martpolocator.com
wfupppx.com
scandocnotes.com
freecoupon21.com
ponyvideochat.com
ludamec.com
chat-transa.com
soulscanneryh.com
d3cameraplan.com
qibla-ultima.com
zoofanimalm.com
ciaolvc.com
heartrateproxhealthmonitor.com
bus-metrolis.com
truck-rouddrive.com
locatinfind.com
camerdentifier.com
locatorqiafindlocation.com
cocachar.com
squishyp.com
antranslaro.com
ftphotom.com
lockul.com
fingerprihanger.com
locatorshar.com
kfcwsa.com
gpsphonuetrackerfamilylocator.com
cailrecorder.com
tqiblacompas.com
kvprojectop.com
pikchoeditor.com
streetprocarsracingss.com
nemaeovies.com
aecodero.com
ivlewepapallrbkragonucd.com
heartrateandmealtracker.com
phonecontrolblockspamcalls.com
etcotater.com
canopoument.com
locxfindxlocx.com
mnesytrlatr.com
huntcontactz.com
intelgenttran.com
facenalyer.com
fnbdeiegpslocoiatntcrkaer.com
trcalluecodr.com
qrreaderpro.com
itranstxtvoicepht.com
qiberiblaon.com
iconylc.com
lsepeanitor.com
fxkwboard.com
dehcoveanager.com
tickeakhatsp.com
phoneboster.com
phonfinbyclap.com
aralaper.com
qibdirctiowa.com
islsrickers.com
feartranslator.com
vpnzfep.com
snaplens-pt.com
qiblassirection.com
easyvshow.com
qibla-quran.com
qrcodesscan.com
hoolives.com
burivingsim.com
coupongiftsnstashop.com
fingdefend.com
projectormp.com
forzahmobile.com
artateulseonitor.com
sslasmr.com
bagscaner.com
phonecallerscreen.com
datingappswmt.com
lifeel-scan.com
colorizerset.club
expresscreditcash.com
ccallerx.com
transatitonneap.com
lasouncherio.com
claptfindzmphone.com
mirrorscreencasttvv.com
ircleocatinder.com
mobleingsder.com
proocallerr.com
frecalwolwid.com
allelpcoonmber.com
faspulhearratmoni.com
fincconttact.com
uncherdroid.com
iveilembercker.com
lepamcker.com
lockaaocker.com
onarchbylap.com
secontranslatpr.com
tgscontakcs.com
lockaaocker.com
callwhozdine.com
perargero.com
mylocatorplus.club
comclap.club
callerids.club
instantspeechtranslation.club
photoeditorbest.club
piction.club
driveriders.club
skycoachgg.club
ffitnesstrainer.club
racerscardriver.club
fitnessdias.club
meetingonlinechat.club
fitnessgymup.club
editsbackground.club
cutcutpro.club
drivingexpiriencesimulator.club
clipbuddy.club
horoscopefortune.club
ludospeakeasy.club
fitnesspoint.club
wallvoluminousfourk.club
cvectorart.club
ludospeakv2.club
callrecordpro.club
carracer.club
slimesimulator.club
offroaderssurvive.club
lending-online.club
controlcenterios.club
callerids.club
carracer.club
streetracingg.club
checkheart.club
keyboardthemes.club
whatsmesticker.club
batterychargingeffect.club
luxoreditor.club
lionflix.club
amazingvideoeditor.club
zodiachand.club
zeusalmighty.club
pharaohsadventure.club
batterylivewallpaperhd.club
comqubla.club
safelock.club
heartrhythm.club
easybassbooster.club
comphotolab.club

# GriftHorse Second-Stage Domain
678ikmbtui.com

# GriftHorse Third-Stage Domains
safe-link.mobi
at.gogameportal.club
activate-your-account-now.com
continue-to-get-content-now.com
your-access-here.com
app.buenosocial.club
join.crazymob.co
vl.denrok.space
www.timpromos.com.br
campaignmanager.fun.moobig.com
get-your-access-now.com
v.mobzones.com
mt2-sdp4.mt-2.co
go.whatabookmark.com
lp.shoopadoo.com
es.mobiplus.me
af.to.123games.club
be.startdownload.mobi
za.startdownload.mobi
n.appspool.net
wap.trend-tech.net
fr.chillaxgames.mobi
tracking.hexilo.com

# Suspected GriftHorse from pDNS 	185.255.179.131 / 185.255.179.132 ->
1g7kvrv.xyz
2fnoqifq.com
2g8cvdii.com
2oafxcbq.xyz
5rfvbnji9.com
7lc6jc.xyz
7nvdx0.xyz
8sghnct.xyz
berf4o.xyz
blfnf9y.com
brlyp4pg.com
chulahfi.xyz
cmvkvncsse.xyz
cophico.pw
cwkjravqsj.xyz
dhfvbsihjf.com
dsfhskln.com
eksndtpf.org
emraiyz.xyz
eok8wd5v.net
erbfzk.com
ersokbkj.com
fdfjhks.com
ffnbafc.xyz
hrvxkxq.xyz
il0baz.com
jduzuyd.com
jsdfbhsa.com
jydfoafcaf.xyz
kgr0aixa.xyz
krkmyvlmdg.xyz
lgdzbch.com
liahkhe.xyz
lljmbbk.com
lmbbnrhiuj.xyz
lwvurdsjk.org
lxghjoxzns.com
mnfbodivbv.com
mt5vsuf1.net
nfrmg1y.xyz
nwluoodzct.xyz
ocheyhv.xyz
okjojihgv.com
olimob.net
ortn13der.xyz
poiuwhejgr.com
pwtgnp.pw
qtwjhuj.com
rfjdhxbz.com
sjkfsdkg.com
trfvbnji7.com
urtyhfds.com
v9czaci.xyz
vortnomade.net
w9x7itu.xyz
www.mnfbodivbv.com
www.okjojihgv.com
y0vvbm.xyz
yq0z3d.xyz

# additional suspected GriftHorse from pDNS - 2021-10-21
down.tracksz.co
go.creativemobilemarketing.com
go.fastfinderworld.com
go.grandprizewinners.com
go.interlinkinternet.com
go.protectyoursearch.com
go.trackitalltheway.com
go.trackiteazy.com
go.watchwiser.com

# TangleBot domains, research based on - https://www.cloudmark.com/en/blog/mobile/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19
covid19-ca.link
hydro-ca.link
sock.godforgiveuss.live
sock.hhhhrkanandda.xyz
sock.nmnmnmfsamsfan.xyz
socktest.ankatras.xyz
vaccine-appointment.link

# Donot / Origami Elephant / APT-C-35 IOCs from Amnesty - https://github.com/AmnestyTech/investigations/blob/master/2021-10-07_donot/domains.txt
bulk.fun
apkv5.ppadaolnwod.xyz
apkv6.endurecif.top
getelements.xyz
fiddaz.club
lif0.top
fif0.top
chipp.pw
mimestyle.xyz
mangasiso.top
and.retardrattle.website
help.domainoutlet.site
whynotworkonit.top
spectronet.pw
full.naturalpercent.life
mimeversion.top
rythemsjoy.club
lowlight.xyz
inapturst.top
auth.forwardtoken.website
accounts.loginshare.info
seahome.top
imageview.xyz
flickry.xyz
apkv2.qwertykeypad.host
userauthen.pw
join.officeframe.work
zumba.tampotrust.agency
image.loadingmessage.info

# AbstractEmu hosts from https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign
jobs.illaewinstralinc.com
outline.abunddhighett.com
tags.illaryboucnc.com
cloud.nathompsstra.com
store.dianmpsoathom.com
fluency.ryboucoathom.com
csa.naaronegya.com
tips.ghetaldhighe.com
color.joarteauxelb.com

# Cynos hosts from https://vms.drweb.com/virus/?i=24972842 - 46bc4c6c87fcb519a8f315c0010b949d682ac3abee62b33bd624b251a3521b19

dns1.sdkbalance.com
dns2.sdkbalance.com
dns3.sdkbalance.com
sdk.sdkbalance.com
mg.sdkbalance.com

# PhoneSpy hosts from https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/ and pDNS related

acd.kcpro.ga
aki.kcpro.ga
arr.kcpro.tk
b.freespy1.ml
b.freespy1.tk
c.freespy1.ml
c.freespy1.tk
cef.kcpro.tk
cfs.kcpro.ga
d.freespy1.ml
d.freespy1.tk
dto.kcpro.ga
e.freespy1.ml
ejn.kcpro.ga
ern.kcpro.ga
f.freespy1.ml
f.freespy1.tk
freespy.cf
g.freespy1.ml
g.freespy1.tk
h.freespy1.ml
h.freespy1.tk
hxg.kcpro.ga
i.freespy1.ml
i.freespy1.tk
j.freespy1.ml
j.freespy1.tk
k.freespy1.ml
k.freespy1.tk
koreavopi.kro.kr
l.freespy1.ml
l.freespy1.tk
m.freespy1.ml
m.freespy1.tk
mda.kcpro.ga
mgo.kcpro.ga
n.freespy1.ml
n.freespy1.tk
o.freespy1.ml
o.freespy1.tk
oso.kcpro.ga
p.freespy1.ml
p.freespy1.tk
pql.kcpro.ga
wvv.kcpro.ga
ydc.kcpro.ga
zqn.kcpro.ga
zsx.kcpro.ga

# https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/
mobile.measurelib.com
measurelib.com
ami0wned.com
amiowned.com
arduous.work
attorney-client-privileged.com
attorney-client.org
attorneyclientprivileged.com
beachhackerspace.com
cloudwatchtower.com
consilio.lawyer
consiliolaw.com
darknetinfo.com
dataillusionist.com
easycalea.com
extremeexploits.com
extremeexploits.org
fraudpreventionsys.com
gleancorp.com
idme.org
indelibleblue.net
indelibleblueinc.net
internetcartography.com
internetcartography.net
internetcartography.org
littoralventures.com
marketinfo.tips
measurementsys.com
mxout.net
myaddress.today
ndagri.com
networkcartography.com
networkcartography.net
networkcartography.org
newdulcina.com
opensourcecontext.com
oppleman.org
oscontext.com
pathanalyzer.com
pathanalyzerpro.com
precise.fit
pwhois.net
pwhois.org
quietquell.com
trustcor.co
vbchs.com
vbchs.org
vbhacker.space
vbhackerspace.com
vbhackerspace.org
vostrom.ventures
whoisanalyzer.com
whoisanalyzerpro.com
mobile.fra2.measurelib.com
mobile.ams2.measurelib.com

# Telematicsdirect - from al-moazin-lite-prayer-times.apk - dcb56dc7b817dd65a1f5ebfe81cf36b85ad523990b8e4f69a4a1654d1cc8277c
nav.telematicsdirect.com

# SafeGraph / OpenLocate
# https://github.com/pablobaxter/openlocate-android
# https://www.vice.com/en/article/m7vymn/cdc-tracked-phones-location-data-curfews
api.safegraph.com

# daily-scratchers.apk / 22a80df1084af11129baef89bce0bafad0aaae41e58dc2bb6e7c27fd3f4bac49 /	me.actv8.tvwallet
actv8technologies.com
api-production-v4.actv8technologies.com
sonar.actv8technologies.com

# Joker - RelaxingMusicSootheYourBody_signed.apk - 14c35d1158cc47cfb605fdd686603b0929d38c046dce03fd6033fb8a31433798
novasdk.oss-cn-beijing.aliyuncs.com

# Joker - https://github.com/DoctorWebLtd/malware-iocs/tree/master/Android.Joker
# Note: domain offline since Feb 2022
ad.mobnv.com
# pDNS for 	161.117.252.102
app.mobnv.com
aff.fortunnecat.com

# WhatsApp mod distributed through legitimate apps:
# https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/?utm_source=everyonesocial&utm_medium=partner&utm_campaign=us_NA-newsletter_en0177&utm_content=sm-post&utm_term=us_everyonesocial_organic_an17748oyfteksz&es_id=cfde1a3994
wa.zcnewy.com
av2wg.rt14v.com
g1790.rt14v.com

# xnspy - 578a880848bc52bed83b2be817a148187fde129cc8ad50db49630c0ebf59102c - xnspyappv2.apk
# https://techcrunch.com/2022/12/12/xnspy-stalkerware-iphone-android/
alert.xiz4me.com
asset.xiz4me.com
sync.xiz4me.com
xiz4me.com
mydwnd.com
brilliant-flame-585.firebaseio.com
brilliant-flame-585.appspot.com
# xnspy - 7e3930771370ed111cdb83397a04fa7ee89f1ea35b7f5306bb1522b82bc6d38d
sync.bk128.com
alert.bk128.com
asset.bk128.com
bk128.com
# xnspy - 9114e561c42ea19b183ef5d8a36e743f2b873874e43d805b11e3753035c7900d
true-truck-86810.firebaseio.com
true-truck-86810.appspot.com

# Fleckpe - from https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/
ac.iprocam.xyz
ad.iprocam.xyz
ap.iprocam.xyz
b7.photoeffect.xyz
ba3.photoeffect.xyz
f0.photoeffect.xyz
m11.slimedit.live
m12.slimedit.live
m13.slimedit.live
ba.beautycam.xyz
f6.beautycam.xyz
f8a.beautycam.xyz
ae.mveditor.xyz
b8c.mveditor.xyz
d3.mveditor.xyz
fa.gifcam.xyz
fb.gifcam.xyz
fl.gifcam.xyz
a.hdmodecam.live
b.hdmodecam.live
l.hdmodecam.live
vd.toobox.online
ve.toobox.online
vt.toobox.online
t1.twmills.xyz
t2.twmills.xyz
t3.twmills.xyz
api.odskguo.xyz
gbcf.odskguo.xyz
track.odskguo.xyz

#AhRat - see https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/
order.80876dd5.shop
#AhRat - b2c1517e4b0e0b3286a5cde06310b2277da7333f5ab3c2828f08272e3f85b260 - iRecorder - Screen Recorder_2.0_apkcombo.com.apk
config.unityads.unity3d.com
config.unityads.unitychina.cn
init.supersonicads.com
logs.supersonic.com
outcome-ssp.supersonicads.com
supersonicads.com

# uBlock telemetry endpoint - adblock-stats.js  inside a01ff7dac823f3666e7f38527739802e5a7ce3cb539b6a390ca99d423b5c9779
# data sent even if telemetry is disabled
ublocker-chrome.com

# Cytrox Predator domains, see - https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/
almal-news.com
chat-support.support
cibeg.online
notifications-sec.com
wa-info.com
whatssapp.co
wts-app.info
sec-flare.com
verifyurl.me
c.betly.me
betly.me
web.whatssapp.co
whatspp.wa-info.com
notifications.wa-info.com
t-bit.me

# PEACHPIT and BADBOX, extended infrastructure (expansion by @craiu), see - https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf
adbsc.flyermobi.com
adbsc.ikmytech.com
adbsdk.flyermobi.com
admin.dofunapps.com
ads.dofunapps.com
ads.flyermobi.com
apkcar.com
ats.flyermobi.com
ats.ikmytech.com
cbphe.com
cbpheback.com
dcylog.com
flyermobi.com
n1.flyermobi.com
sdk.dofunapps.com
www.apkcar.com
www.flyermobi.com
ycxrl.com
ymex.apkcar.com
ymlog.apkcar.com
ymsdk.apkcar.com

# Unityads from https://github.com/Unity-Technologies/unity-ads-ios
scar.unityads.unity3d.com
webviewbridge.unityads.unity3d.com
unityads.unity3d.com
gateway.unityads.unity3d.com