Malware analysis xupertv-para-celular.apk Malicious activity

Add for printing

File name:	xupertv-para-celular.apk
Full analysis:	https://app.any.run/tasks/821a2e80-6b0e-4305-b1a7-4b6e3e5a2ea3
Verdict:	Malicious activity
Analysis date:	April 30, 2026, 14:09:42
OS:	Android 14
Tags:	auto generic
Indicators:
MIME:	application/vnd.android.package-archive
File info:	Android package (APK), with gradle app-metadata.properties
MD5:	882F3E70652FC6D91AF60F79A1C7549E
SHA1:	B9B253C431E5A804900C7B6B9EEAEEA4F651B967
SHA256:	4F902D5960B26E5875C9C554052F834F3755A52D585E1B941B2907D63B2CB3B9
SSDEEP:	196608:75rfhBrV5W/uLrDAlv9wsQCaTldnFye8Pz66IQlRplKftP1zkf:ZjrjDDAlXQxfn026IQbpaTzkf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- Executes system commands or scripts
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
SUSPICIOUS
- Uses encryption API functions
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Reads device MAC address fingerprint
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Establishing a connection
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Accesses system-level resources
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Retrieves Android OS build information
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Launches a new activity
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Accesses memory information
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Accesses external device storage files
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
INFO
- Returns elapsed time since boot
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Stores data using SQLite database
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Detects if debugger is connected
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Listens for connection changes
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Loads a native library into the application
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Creates and writes local files
  - app_process64 (PID: 4035)
- Gets file name without full path
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)
- Normally terminates current Java virtual machine
  - app_process64 (PID: 4035)
  - app_process64 (PID: 4360)
- Handles throwable exceptions in the app
  - app_process64 (PID: 4360)
  - app_process64 (PID: 4602)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.apk	\|	Android Package (73.9)
.jar	\|	Java Archive (20.4)
.zip	\|	ZIP compressed archive (5.6)

EXIF

ZIP

ZipRequiredVersion:	-
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	1981:01:01 01:01:02
ZipCRC:	0x254e4b1a
ZipCompressedSize:	52
ZipUncompressedSize:	56
ZipFileName:	META-INF/com/android/build/gradle/app-metadata.properties

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

179

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
4035	com.android.mgstv	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4105	cat /proc/version	/system/bin/toybox	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 256
4107	com.android.mgstv	/system/bin/app_process64	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 65280
4187	cat proc/cpuinfo	/system/bin/toybox	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 0
4198	cat /sys/class/sunxi_info/sys_info	/system/bin/toybox	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 256
4208	cat /proc/cpu_chipid	/system/bin/toybox	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 256
4230	getprop debug.dns.filter	/system/bin/toolbox	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 0
4260	cat /sys/block/mmcblk0/device/type	/system/bin/toybox	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 256
4261	cat /sys/block/mmcblk0/device/name	/system/bin/toybox	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 256
4262	cat /sys/block/mmcblk0/device/cid	/system/bin/toybox	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 256

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

286

Dropped files

PID	Process	Filename		Type
4035	app_process64	/data/data/com.android.mgstv/shared_prefs/umeng_common_config.xml		binary
		MD5:—	SHA256:—
4035	app_process64	/data/data/com.android.mgstv/databases/ua.db		binary
		MD5:—	SHA256:—
4035	app_process64	/data/data/com.android.mgstv/shared_prefs/umeng_general_config.xml		binary
		MD5:—	SHA256:—
4105	toybox	/data/data/com.android.mgstv/app_luna/block_cache/test.txt		binary
		MD5:—	SHA256:—
4105	toybox	/data/data/com.android.mgstv/shared_prefs/umeng_general_config.xml		xml
		MD5:—	SHA256:—
4105	toybox	/data/data/com.android.mgstv/shared_prefs/log.xml		binary
		MD5:—	SHA256:—
4035	app_process64	/data/data/com.android.mgstv/shared_prefs/log.xml		binary
		MD5:—	SHA256:—
4035	app_process64	/data/data/com.android.mgstv/shared_prefs/bbconfig.xml		binary
		MD5:—	SHA256:—
4107	app_process64	/data/data/com.android.mgstv/app_luna/block_cache/test.txt		binary
		MD5:—	SHA256:—
4107	app_process64	/data/data/com.android.mgstv/shared_prefs/umeng_general_config.xml		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1921	app_process64	GET	204	142.251.151.119:443	https://www.google.com/generate_204	US	—	—	whitelisted
1921	app_process64	GET	204	192.178.183.94:80	http://connectivitycheck.gstatic.com/generate_204	US	—	—	whitelisted
4035	app_process64	GET	200	192.178.183.94:443	https://firebase-settings.crashlytics.com/spi/v2/platforms/android/gmp/1:648568768538:android:102c69c1f8d590a1f729a3/settings?instance=8d9ebe26c141b47f2a3201bb9b77a2b6f7f1d6d8&build_version=43403&display_version=4.34.3&source=1	US	binary	743 b	unknown
4035	app_process64	POST	200	142.251.14.95:443	https://firebaseinstallations.googleapis.com/v1/projects/mgs-free-e6046/installations	US	binary	628 b	whitelisted
2931	app_process64	POST	200	74.125.71.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:signCertificates?challenge=AAABnd65oDsBILStY94q-DbH9VKYzqLjja6rYEQ=&request_id=f0eaba92-e843-4356-ba1c-4e94897c6133	US	binary	11.8 Kb	whitelisted
4035	app_process64	POST	200	188.114.97.3:443	https://fuxok.nguvmqhpk.com/v1/googleadmob/log%3Fs=	US	binary	1.32 Kb	unknown
4035	app_process64	POST	200	172.67.215.237:443	https://eajmnp.hcgv1dt8.com/api/portalCore/v3/snToken	US	binary	228 b	unknown
4035	app_process64	POST	200	172.67.215.237:443	https://eajmnp.hcgv1dt8.com/api/portalCore/v8/active	US	binary	89 b	unknown
4035	app_process64	GET	200	172.67.129.39:80	http://vgwbm.uwfyobivh.com/epg/v2/live/app/utc0/26?md5=966c1ba6e09b4d96-8617e8c0a0a21587	US	binary	11.4 Mb	unknown
4035	app_process64	GET	—	104.21.29.101:80	http://zxiws.tcgwhnvym.com/notice/api/get_notice?pkg=com.android.mgstv&v=43403&sn=b0771bebc68ae1377292a9338d0e944f&userId=&language=en	US	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
452	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.251.157.119:80	www.google.com	GOOGLE	US	whitelisted
—	—	142.251.157.119:443	www.google.com	GOOGLE	US	whitelisted
—	—	142.250.154.94:80	—	GOOGLE	US	whitelisted
4035	app_process64	239.255.255.250:1900	—	—	—	whitelisted
4035	app_process64	8.8.8.8:53	—	GOOGLE	US	whitelisted
4035	app_process64	20.101.57.9:123	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4035	app_process64	162.159.200.1:123	—	CLOUDFLARENET	US	whitelisted
4035	app_process64	216.239.35.8:123	time.android.com	GOOGLE	US	whitelisted
4035	app_process64	8.8.8.8:443	—	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.251.110.138 142.251.110.100 142.251.110.102 142.251.110.139 142.251.110.113 142.251.110.101	whitelisted
firebase-settings.crashlytics.com	192.178.183.94	whitelisted
www.google.com	142.251.154.119 142.251.156.119 142.251.150.119 142.251.151.119 142.251.152.119 142.251.153.119 142.251.157.119 142.251.155.119	whitelisted
connectivitycheck.gstatic.com	192.178.183.94	whitelisted
firebaseinstallations.googleapis.com	142.251.14.95 142.251.13.95 142.251.127.95 142.250.154.95 192.178.183.95 142.251.110.95 142.251.20.95	whitelisted
time.android.com	216.239.35.12 216.239.35.0 216.239.35.4 216.239.35.8	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	74.125.71.81	whitelisted
fuxok.nguvmqhpk.com	188.114.97.3 188.114.96.3	unknown
cnlogs.umeng.com	127.0.0.1	unknown
resolve.umeng.com	223.109.148.177	unknown

Threats

PID	Process	Class	Message
4035	app_process64	Misc activity	ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
4035	app_process64	Misc activity	ET INFO Google DNS Over HTTPS Certificate Inbound
1921	app_process64	Misc activity	ET INFO Android Device Connectivity Check
1921	app_process64	Misc activity	ET INFO Android Device Connectivity Check
1921	app_process64	Misc activity	ET INFO Android Device Connectivity Check
1921	app_process64	Misc activity	ET INFO Android Device Connectivity Check

Add for printing

No debug info

General Info

xupertv-para-celular.apk

882F3E70652FC6D91AF60F79A1C7549E

B9B253C431E5A804900C7B6B9EEAEEA4F651B967

4F902D5960B26E5875C9C554052F834F3755A52D585E1B941B2907D63B2CB3B9

196608:75rfhBrV5W/uLrDAlv9wsQCaTldnFye8Pz66IQlRplKftP1zkf:ZjrjDDAlXQxfn026IQbpaTzkf

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Executes system commands or scripts

SUSPICIOUS

Uses encryption API functions

Reads device MAC address fingerprint

Establishing a connection

Accesses system-level resources

Retrieves Android OS build information

Launches a new activity

Accesses memory information

Accesses external device storage files

Updates data in the storage of application settings (SharedPreferences)

Collects data about the device's environment (JVM version)

INFO

Returns elapsed time since boot

Stores data using SQLite database

Detects if debugger is connected

Listens for connection changes

Dynamically registers broadcast event listeners

Loads a native library into the application

Dynamically inspects or modifies classes, methods, and fields at runtime

Gets the display metrics associated with the device's screen

Retrieves data from storage of application settings (SharedPreferences)

Verifies whether the device is connected to the internet

Creates and writes local files

Gets file name without full path

Normally terminates current Java virtual machine

Handles throwable exceptions in the app

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings