Malware analysis https://www.xuper-tv.com/app/XPR_official.apk Malicious activity

Add for printing

URL:	https://www.xuper-tv.com/app/XPR_official.apk
Full analysis:	https://app.any.run/tasks/5ff07361-9048-4096-8874-b9729d6dae4d
Verdict:	Malicious activity
Analysis date:	December 25, 2025, 01:18:59
OS:	Android 14
Tags:	websocket
Indicators:
MD5:	E79D0932A1CE3CA5F9ED7545E0B1B12E
SHA1:	46374027FB5637B21E1066085B0E8DA4E5B57EC4
SHA256:	5B354E0BC4D550EDA1EC7F3909B7FF8816B2BDF9301E4CDB6D2B63311847D736
SSDEEP:	3:N8DSLmbwiYKkb4:2OLIwPK04

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- Executes system commands or scripts
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Requests APK Installation via system installer
  - app_process64 (PID: 4298)
SUSPICIOUS
- Accesses system-level resources
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Accesses external device storage files
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Uses encryption API functions
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Reads device MAC address fingerprint
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Retrieves Android OS build information
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Returns the name of the current network operator
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Launches a new activity
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Establishing a connection
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Accesses memory information
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Detects when screen powers off
  - app_process64 (PID: 4745)
- Connects to unusual port
  - app_process64 (PID: 4745)
INFO
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Loads a native library into the application
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Returns elapsed time since boot
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Stores data using SQLite database
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Retrieves the value of a secure system setting
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Detects device power status
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Attempting to connect via WebSocket
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Detects if debugger is connected
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Creates and writes local files
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Gets file name without full path
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)
- Listens for connection changes
  - app_process64 (PID: 4298)
  - app_process64 (PID: 4745)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

195

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3955	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4009	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4028	com.android.traceur	/system/bin/app_process64	—	app_process64
User: u0_a54 Integrity Level: UNKNOWN Exit code: 512
4035	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4053	<pre-initialized>	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4077	com.android.adservices.api	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
4114	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
4278	/apex/com.android.art/bin/dex2oat32 --zip-fd=6 --zip-location=/data/app/~~zL7fVDxmf2o8cGHQE9MDDQ==/com.android.mgstv-SO_k75rJtOFrKiJsl-EqlQ==/base.apk --oat-fd=7 --oat-location=/data/app/~~zL7fVDxmf2o8cGHQE9MDDQ==/com.android.mgstv-SO_k75rJtOFrKiJsl-EqlQ==/oat/arm64/base.odex --output-vdex-fd=8 --swap-fd=9 --class-loader-context-fds=10 --class-loader-context=PCL[]{PCL[/system/framework/org.apache.http.legacy.jar]} --classpath-dir=/data/app/~~zL7fVDxmf2o8cGHQE9MDDQ==/com.android.mgstv-SO_k75rJtOFrKiJsl-EqlQ== --instruction-set=arm64 --instruction-set-features=default --instruction-set-variant=cortex-a53 --compiler-filter=verify --compilation-reason=install --compact-dex-level=none --max-image-block-size=524288 --resolve-startup-const-strings=true --generate-mini-debug-info --runtime-arg -Xtarget-sdk-version:33 --runtime-arg -Xhidden-api-policy:enabled --runtime-arg -Xms64m --runtime-arg -Xmx512m --comments=app-version-name:4.34.4,app-version-code:43404,art-version:340090000	/apex/com.android.art/bin/dex2oat32	—	artd
User: artd Integrity Level: UNKNOWN Exit code: 0
4298	<pre-initialized>	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 9
4379	cat /proc/version	/system/bin/toybox	—	app_process64
User: u0_a108 Integrity Level: UNKNOWN Exit code: 256

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

271

Text files

429

Unknown types

Dropped files

PID	Process	Filename		Type
4298	app_process64	/data/data/com.android.mgstv/shared_prefs/umeng_common_config.xml		—
		MD5:—	SHA256:—
4298	app_process64	/data/data/com.android.mgstv/databases/ua.db		binary
		MD5:—	SHA256:—
4298	app_process64	/data/data/com.android.mgstv/shared_prefs/umeng_general_config.xml		xml
		MD5:—	SHA256:—
4298	app_process64	/data/data/com.android.mgstv/shared_prefs/log.xml		xml
		MD5:—	SHA256:—
4298	app_process64	/data/data/com.android.mgstv/shared_prefs/com.google.android.gms.measurement.prefs.xml		xml
		MD5:—	SHA256:—
4298	app_process64	/data/data/com.android.mgstv/shared_prefs/bbconfig.xml		xml
		MD5:—	SHA256:—
4298	app_process64	/data/data/com.android.mgstv/shared_prefs/com.google.firebase.messaging.xml		xml
		MD5:—	SHA256:—
4379	toybox	/data/data/com.android.mgstv/app_luna/block_cache/test.txt		binary
		MD5:—	SHA256:—
4388	app_process64	/data/data/com.android.mgstv/app_luna/block_cache/test.txt		binary
		MD5:—	SHA256:—
4388	app_process64	/data/data/com.android.mgstv/databases/com.google.android.datatransport.events		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

162

TCP/UDP connections

135

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3955	app_process64	OPTIONS	200	35.190.80.1:443	https://a.nel.cloudflare.com/report/v4?s=WofEin2Nntv6ZO6m4Wag6fhb%2BKWtO2epIVuCenBpDcUflhZKbLP1slfhCExbSVvfzMrD9bdyxeXzY9r7QxUVYcF0SiTtt%2Bk08ZVh%2Fee%2Fg20%3D	US	—	—	unknown
1921	app_process64	GET	204	142.250.184.228:443	https://www.google.com/generate_204	US	—	—	whitelisted
—	—	GET	204	142.250.184.228:80	http://www.google.com/gen_204	US	—	—	whitelisted
3955	app_process64	GET	200	142.251.208.14:80	http://clients2.google.com/time/1/current?cup2key=9:ugvfbJBxb5JHfzWACH3L9QSzfBR1jG-OrAeCFN96BWU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	104 b	whitelisted
1921	app_process64	GET	204	142.251.141.67:80	http://connectivitycheck.gstatic.com/generate_204	US	—	—	whitelisted
3955	app_process64	POST	200	74.125.71.84:443	https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&laf=b64bin&json=standard	US	—	—	whitelisted
4298	app_process64	POST	200	188.114.96.3:80	http://yvhcn.hxjebagrv.com/api/adserver/v2/get_content	US	text	374 b	unknown
4298	app_process64	GET	200	188.114.96.3:80	http://miqe.sdxpkgyaq.com/media/adsys/5d41df55-e2d5-41f7-b526-4a022368a362.png	US	image	1.21 Mb	unknown
4298	app_process64	GET	—	172.67.129.39:80	http://vgwbm.uwfyobivh.com/epg/v2/live/app/utc0/26?md5=966c1ba6e09b4d96-8617e8c0a0a21587	US	—	—	unknown
4298	app_process64	GET	101	104.18.53.7:80	http://sgyc.bfj1k2g4v.com:80/v1/stargazer	US	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	142.250.184.228:80	www.google.com	GOOGLE	US	whitelisted
452	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.251.141.67:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.250.184.228:443	www.google.com	GOOGLE	US	whitelisted
3955	app_process64	142.251.208.14:80	clients2.google.com	GOOGLE	US	whitelisted
3955	app_process64	188.114.96.3:443	www.xuper-tv.com	CLOUDFLARENET	US	whitelisted
3955	app_process64	74.125.71.84:443	accounts.google.com	GOOGLE	US	whitelisted
3955	app_process64	142.250.184.228:443	www.google.com	GOOGLE	US	whitelisted
3955	app_process64	35.190.80.1:443	a.nel.cloudflare.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
3955	app_process64	142.250.184.234:443	androidchromeprotect.pa.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.251.141.78	whitelisted
www.google.com	142.250.184.228	whitelisted
clients2.google.com	142.251.208.14	whitelisted
www.xuper-tv.com	188.114.96.3 188.114.97.3	unknown
accounts.google.com	74.125.71.84	whitelisted
a.nel.cloudflare.com	35.190.80.1	whitelisted
androidchromeprotect.pa.googleapis.com	142.250.184.234	whitelisted
connectivitycheck.gstatic.com	142.251.141.67	whitelisted
time.android.com	216.239.35.12 216.239.35.0 216.239.35.8 216.239.35.4	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	74.125.71.81	whitelisted

Threats

PID	Process	Class	Message
3955	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
3955	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
1921	app_process64	Misc activity	ET INFO Android Device Connectivity Check
4298	app_process64	Misc activity	ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
4298	app_process64	Misc activity	ET INFO Google DNS Over HTTPS Certificate Inbound
4298	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Websocket Upgrade Request
4298	app_process64	Generic Protocol Command Decode	SURICATA HTTP request header invalid
4298	app_process64	Generic Protocol Command Decode	SURICATA HTTP METHOD terminated by non-compliant character
4745	app_process64	Misc activity	ET INFO Cloudflare DNS Over HTTPS Certificate Inbound
4745	app_process64	Misc activity	ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)

Add for printing

No debug info

General Info

https://www.xuper-tv.com/app/XPR_official.apk

E79D0932A1CE3CA5F9ED7545E0B1B12E

46374027FB5637B21E1066085B0E8DA4E5B57EC4

5B354E0BC4D550EDA1EC7F3909B7FF8816B2BDF9301E4CDB6D2B63311847D736

3:N8DSLmbwiYKkb4:2OLIwPK04

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Executes system commands or scripts

Requests APK Installation via system installer

SUSPICIOUS

Accesses system-level resources

Accesses external device storage files

Updates data in the storage of application settings (SharedPreferences)

Uses encryption API functions

Reads device MAC address fingerprint

Retrieves Android OS build information

Returns the name of the current network operator

Launches a new activity

Establishing a connection

Accesses memory information

Collects data about the device's environment (JVM version)

Detects when screen powers off

Connects to unusual port

INFO

Dynamically inspects or modifies classes, methods, and fields at runtime

Loads a native library into the application

Gets the display metrics associated with the device's screen

Retrieves data from storage of application settings (SharedPreferences)

Dynamically registers broadcast event listeners

Returns elapsed time since boot

Stores data using SQLite database

Verifies whether the device is connected to the internet

Retrieves the value of a secure system setting

Detects device power status

Attempting to connect via WebSocket

Detects if debugger is connected

Creates and writes local files

Gets file name without full path

Listens for connection changes

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings