Malware analysis https://www.lvcha.org/download/lvcha_101001.apk Malicious activity

Add for printing

URL:	https://www.lvcha.org/download/lvcha_101001.apk
Full analysis:	https://app.any.run/tasks/3df3bbcb-4140-4b01-8e13-91173456863f
Verdict:	Malicious activity
Analysis date:	February 13, 2026, 07:18:32
OS:	Android 14
Tags:	evasion obfuscated-js
Indicators:
MD5:	B856B32AC16D7675C5826CF687510B3F
SHA1:	43E27E032F3555C288B8198C76A6B003392439D7
SHA256:	2184C3BA05EFD3FACD6EC99F0B871E849041407D1C660126E9B17432A2A17A0C
SSDEEP:	3:N8DSLkiKAN/uU:2OL0BU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- Detects root access on device
  - app_process64 (PID: 4316)
- Executes system commands or scripts
  - app_process64 (PID: 4316)
SUSPICIOUS
- Accesses system-level resources
  - app_process64 (PID: 4316)
- Retrieves Android OS build information
  - app_process64 (PID: 4316)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 4316)
- Retrieves a list of running application processes
  - app_process64 (PID: 4316)
- Retrieves the MCC and MNC of the SIM card operator
  - app_process64 (PID: 4316)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 4316)
- Establishing a connection
  - app_process64 (PID: 4316)
- Detects Xposed framework for modifications
  - app_process64 (PID: 4316)
- Uses encryption API functions
  - app_process64 (PID: 4316)
- Launches a new activity
  - app_process64 (PID: 4316)
- Abuses foreground service for persistence
  - app_process64 (PID: 4316)
- Checks for external IP
  - app_process64 (PID: 4316)
  - app_process64 (PID: 3957)
- Starts a service
  - app_process64 (PID: 4316)
- Retrieves the file path to the APK
  - app_process64 (PID: 4316)
- Scans for popular installed apps
  - app_process64 (PID: 4316)
INFO
- Detects if debugger is connected
  - app_process64 (PID: 4316)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 4316)
- Returns elapsed time since boot
  - app_process64 (PID: 4316)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 4316)
- Creates and writes local files
  - app_process64 (PID: 4316)
- Gets file name without full path
  - app_process64 (PID: 4316)
- Stores data using SQLite database
  - app_process64 (PID: 4316)
- Loads a native library into the application
  - app_process64 (PID: 4316)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 4316)
- Retrieves the value of a secure system setting
  - app_process64 (PID: 4316)
- Verifies presence of SIM card
  - app_process64 (PID: 4316)
- Dynamically loads a class in Java
  - app_process64 (PID: 4316)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 4316)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 4316)
- Handles throwable exceptions in the app
  - app_process64 (PID: 4316)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

187

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3957	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4008	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4019	com.android.traceur	/system/bin/app_process64	—	app_process64
User: u0_a54 Integrity Level: UNKNOWN Exit code: 512
4026	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4060	<pre-initialized>	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4090	<pre-initialized>	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4131	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 9
4153	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4303	/apex/com.android.art/bin/dex2oat32 --zip-fd=6 --zip-location=/data/app/~~shQyWFkab-NOfyv_WDy71g==/com.abjlvcha.main-hGVRi1wDiwgF7KZlqUzqTg==/base.apk --oat-fd=7 --oat-location=/data/app/~~shQyWFkab-NOfyv_WDy71g==/com.abjlvcha.main-hGVRi1wDiwgF7KZlqUzqTg==/oat/arm64/base.odex --output-vdex-fd=8 --swap-fd=9 --class-loader-context=PCL[] --classpath-dir=/data/app/~~shQyWFkab-NOfyv_WDy71g==/com.abjlvcha.main-hGVRi1wDiwgF7KZlqUzqTg== --instruction-set=arm64 --instruction-set-features=default --instruction-set-variant=cortex-a53 --compiler-filter=verify --compilation-reason=install --compact-dex-level=none --max-image-block-size=524288 --resolve-startup-const-strings=true --generate-mini-debug-info --runtime-arg -Xtarget-sdk-version:35 --runtime-arg -Xhidden-api-policy:enabled --runtime-arg -Xms64m --runtime-arg -Xmx512m --comments=app-version-name:2.6.7,app-version-code:47,art-version:340090000	/apex/com.android.art/bin/dex2oat32	—	artd
User: artd Integrity Level: UNKNOWN Exit code: 0
4316	<pre-initialized>	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

195

Text files

289

Unknown types

Dropped files

PID	Process	Filename		Type
4316	app_process64	/data/data/com.abjlvcha.main/files/PersistedInstallation4999371002618853589tmp		text
		MD5:—	SHA256:—
4316	app_process64	/data/data/com.abjlvcha.main/files/PersistedInstallation.W0RFRkFVTFRd+MTo5MDczOTE1Nzg1NDQ6YW5kcm9pZDphZGM0ODc0NjdkMDM1NDk0OWZlNjc1.json		text
		MD5:—	SHA256:—
4316	app_process64	/data/data/com.abjlvcha.main/shared_prefs/com.google.firebase.crashlytics.xml		xml
		MD5:—	SHA256:—
4316	app_process64	/data/data/com.abjlvcha.main/shared_prefs/com.google.android.gms.measurement.prefs.xml		xml
		MD5:—	SHA256:—
4316	app_process64	/data/data/com.abjlvcha.main/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MTo5MDczOTE1Nzg1NDQ6YW5kcm9pZDphZGM0ODc0NjdkMDM1NDk0OWZlNjc1.xml		xml
		MD5:—	SHA256:—
4316	app_process64	/data/data/com.abjlvcha.main/files/.com.google.firebase.crashlytics.files.v2:com.abjlvcha.main/com.crashlytics.settings.json		text
		MD5:—	SHA256:—
4316	app_process64	/data/data/com.abjlvcha.main/files/.com.google.firebase.crashlytics.files.v2:com.abjlvcha.main/open-sessions/698ED0660065000110DCBDB94B4976C4/report		text
		MD5:—	SHA256:—
4316	app_process64	/data/data/com.abjlvcha.main/files/.com.google.firebase.crashlytics.files.v2:com.abjlvcha.main/open-sessions/698ED0660065000110DCBDB94B4976C4/internal-keys		text
		MD5:—	SHA256:—
4316	app_process64	/data/data/com.abjlvcha.main/shared_prefs/com.lvcha.main.SharedPreferences.xml		xml
		MD5:—	SHA256:—
4368	app_process64	/data/data/com.abjlvcha.main/databases/com.google.android.datatransport.events		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

289

TCP/UDP connections

825

DNS requests

649

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3957	app_process64	GET	—	194.147.100.243:443	https://www.lvcha.org/download/lvcha_101001.apk	GB	—	—	unknown
3957	app_process64	GET	—	194.147.100.243:443	https://www.lvcha.org/download/lvcha_101001.apk	GB	—	—	unknown
1921	app_process64	GET	204	142.250.187.196:443	https://www.google.com/generate_204	US	—	—	whitelisted
3957	app_process64	GET	200	142.251.141.78:80	http://clients2.google.com/time/1/current?cup2key=9:wk7QyuheiCXAQhhhuXsSbt0_9BvXDA_ZodgU8TuvsGI&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	107 b	whitelisted
3957	app_process64	POST	200	142.251.127.84:443	https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&laf=b64bin&json=standard	US	—	—	whitelisted
—	—	GET	204	142.250.187.196:80	http://www.google.com/gen_204	US	—	—	whitelisted
1921	app_process64	GET	204	142.251.141.99:80	http://connectivitycheck.gstatic.com/generate_204	US	—	—	whitelisted
3957	app_process64	GET	206	194.147.100.243:443	https://www.lvcha.org/download/lvcha_101001.apk	GB	compressed	1.85 Mb	unknown
2931	app_process64	POST	200	64.233.166.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain	US	—	778 b	whitelisted
2931	app_process64	POST	200	64.233.166.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:signCertificates?challenge=AAABnFXd4WQBILStY-DidJKjBdJ8Z-7wl5mGG7k=&request_id=67806582-81b6-4bda-b296-15b25f07c3e8	US	—	11.8 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
452	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.250.187.196:80	www.google.com	GOOGLE	US	whitelisted
—	—	142.251.141.99:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.250.187.196:443	www.google.com	GOOGLE	US	whitelisted
3957	app_process64	142.251.141.78:80	clients2.google.com	GOOGLE	US	whitelisted
3957	app_process64	142.251.127.84:443	accounts.google.com	GOOGLE	US	whitelisted
3957	app_process64	194.147.100.243:443	www.lvcha.org	SPARTANHOST	GB	unknown
3957	app_process64	142.250.187.196:443	www.google.com	GOOGLE	US	whitelisted
580	app_process64	216.239.35.0:123	time.android.com	GOOGLE	US	whitelisted
1921	app_process64	142.251.141.99:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	172.217.16.174	whitelisted
www.google.com	142.250.187.196 142.251.155.119 142.251.153.119 142.251.152.119 142.251.150.119 142.251.157.119 142.251.156.119 142.251.151.119 142.251.154.119 142.251.143.100	whitelisted
clients2.google.com	142.251.141.78	whitelisted
www.lvcha.org	194.147.100.243 194.147.100.241 194.147.100.240 194.147.100.239 194.147.100.237 194.147.100.248 194.147.100.246 194.147.100.244	unknown
accounts.google.com	142.251.127.84	whitelisted
connectivitycheck.gstatic.com	142.251.141.99	whitelisted
time.android.com	216.239.35.0 216.239.35.4 216.239.35.8 216.239.35.12	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	64.233.166.81	whitelisted
androidchromeprotect.pa.googleapis.com	142.251.143.106	whitelisted
firebase-settings.crashlytics.com	216.58.206.35	whitelisted

Threats

PID	Process	Class	Message
3957	app_process64	Misc activity	ET INFO LVCHA VPN Domain (lvcha .org) in DNS Lookup
3957	app_process64	Misc activity	ET INFO LVCHA VPN Domain (lvcha .org) in DNS Lookup
1921	app_process64	Misc activity	ET INFO Android Device Connectivity Check
347	netd	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)
4316	app_process64	Device Retrieving External IP Address Detected	ET INFO External IP Check (checkip .amazonaws .com)
4316	app_process64	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
4316	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4316	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
4316	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
4316	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)

Add for printing

No debug info

General Info

https://www.lvcha.org/download/lvcha_101001.apk

B856B32AC16D7675C5826CF687510B3F

43E27E032F3555C288B8198C76A6B003392439D7

2184C3BA05EFD3FACD6EC99F0B871E849041407D1C660126E9B17432A2A17A0C

3:N8DSLkiKAN/uU:2OL0BU

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Detects root access on device

Executes system commands or scripts

SUSPICIOUS

Accesses system-level resources

Retrieves Android OS build information

Collects data about the device's environment (JVM version)

Retrieves a list of running application processes

Retrieves the MCC and MNC of the SIM card operator

Updates data in the storage of application settings (SharedPreferences)

Establishing a connection

Detects Xposed framework for modifications

Uses encryption API functions

Launches a new activity

Abuses foreground service for persistence

Checks for external IP

Starts a service

Retrieves the file path to the APK

Scans for popular installed apps

INFO

Detects if debugger is connected

Dynamically inspects or modifies classes, methods, and fields at runtime

Returns elapsed time since boot

Retrieves data from storage of application settings (SharedPreferences)

Creates and writes local files

Gets file name without full path

Stores data using SQLite database

Loads a native library into the application

Gets the display metrics associated with the device's screen

Retrieves the value of a secure system setting

Verifies presence of SIM card

Dynamically loads a class in Java

Dynamically registers broadcast event listeners

Verifies whether the device is connected to the internet

Handles throwable exceptions in the app

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings