Malware analysis Unlock-r-MOD-1.2.7-MODBIBO.apk Malicious activity

Add for printing

File name:	Unlock-r-MOD-1.2.7-MODBIBO.apk
Full analysis:	https://app.any.run/tasks/5db2d8dc-2240-4bff-902c-53eb5d0fec4c
Verdict:	Malicious activity
Analysis date:	February 23, 2026, 22:04:18
OS:	Android 14
Tags:	arch-scr discord
MIME:	application/vnd.android.package-archive
File info:	Android package (APK), with APK Signing Block
MD5:	18108C4E94B57C6A2E5086EE002112F5
SHA1:	138E54BA66DE1D076CF21183038E709E6D571267
SHA256:	A69A34A045C93669C9072DDBCC73DE6908A4FD163622731395C9DCCFCFF9FC25
SSDEEP:	98304:dFfg1SCpck885HA6lBhyVBQwa21lsmAz+ZAVIWHrYWglOBe2LjCIPgoR1q5zUt+o:zc1ECRM9OfuqESkY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executes dynamic code using class loader
  - app_process64 (PID: 2847)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 2847)
- Accesses system-level resources
  - app_process64 (PID: 2847)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 2847)
- Establishing a connection
  - app_process64 (PID: 2847)
- Uses encryption API functions
  - app_process64 (PID: 2847)
- Retrieves Android OS build information
  - app_process64 (PID: 2847)
- Retrieves the MCC and MNC of the SIM card operator
  - app_process64 (PID: 2847)
- Potential Corporate Privacy Violation
  - app_process64 (PID: 2847)
- Accesses external device storage files
  - app_process64 (PID: 2847)
- Launches a new activity
  - app_process64 (PID: 2847)
INFO
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 2847)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 2847)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 2847)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 2847)
- Retrieves the value of a secure system setting
  - app_process64 (PID: 2847)
- Dynamically loads a class in Java
  - app_process64 (PID: 2847)
- Stores data using SQLite database
  - app_process64 (PID: 2847)
- Returns elapsed time since boot
  - app_process64 (PID: 2847)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 2847)
- Drops script file
  - app_process64 (PID: 2847)
- Gets file name without full path
  - app_process64 (PID: 2847)
- Attempting to use instant messaging service
  - app_process64 (PID: 3216)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.apk	\|	Android Package (73.9)
.jar	\|	Java Archive (20.4)
.zip	\|	ZIP compressed archive (5.6)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0800
ZipCompression:	Deflated
ZipModifyDate:	2025:04:27 10:56:06
ZipCRC:	0x1f2ca912
ZipCompressedSize:	3777
ZipUncompressedSize:	19252
ZipFileName:	AndroidManifest.xml

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2847	me.tito.unlocker	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2971	com.android.webview:webview_service	/system/bin/app_process32		app_process32
User: root Integrity Level: UNKNOWN Exit code: 0
2972	webview_zygote	/system/bin/app_process32	—	app_process32
User: webview_zygote Integrity Level: UNKNOWN Exit code: 0
3024	com.android.adservices.api	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
3090	com.android.webview:webview_apk	/system/bin/app_process32		app_process32
User: root Integrity Level: UNKNOWN Exit code: 0
3216	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
3287	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
3311	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 9
3312	org.chromium.chrome:privileged_process0	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
3385	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2847	app_process64	/storage/emulated/0/Android/data/me.tito.unlocker/cache/crash.txt		text
		MD5:—	SHA256:—
2847	app_process64	/data/user/0/me.tito.unlocker/cache/xz.apk		compressed
		MD5:—	SHA256:—
2847	app_process64	/data/user/0/me.tito.unlocker/shared_prefs/CBGr2.xml		xml
		MD5:—	SHA256:—
2847	app_process64	/data/user/0/me.tito.unlocker/app_webview/last-exit-info		text
		MD5:—	SHA256:—
2847	app_process64	/data/user/0/me.tito.unlocker/shared_prefs/WebViewChromiumPrefs.xml		xml
		MD5:—	SHA256:—
2847	app_process64	/data/user/0/me.tito.unlocker/app_webview/Default/Web Data-journal		binary
		MD5:—	SHA256:—
2847	app_process64	/data/user/0/me.tito.unlocker/cache/WebView/Default/HTTP Cache/Code Cache/js/index		binary
		MD5:—	SHA256:—
2847	app_process64	/data/user/0/me.tito.unlocker/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index		binary
		MD5:—	SHA256:—
2847	app_process64	/data/user/0/me.tito.unlocker/app_webview/Default/Shared Dictionary/cache/index		binary
		MD5:—	SHA256:—
2847	app_process64	/data/user/0/me.tito.unlocker/app_webview/Default/Shared Dictionary/cache/index-dir/temp-index		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

143

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
822	app_process64	GET	204	142.251.127.105:443	https://www.google.com/generate_204	unknown	—	—	whitelisted
822	app_process64	GET	204	142.251.140.163:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
—	—	GET	204	142.251.127.99:80	http://www.google.com/gen_204	unknown	—	—	whitelisted
2847	app_process64	POST	200	188.114.97.3:443	https://log-report.com/report	unknown	text	48 b	unknown
2847	app_process64	POST	200	188.114.97.3:443	https://log-report.com/report	unknown	text	48 b	unknown
2847	app_process64	GET	200	172.247.0.106:443	https://strongwill100.com/jd?a=53acdd351da24a600000242d50cf1f9f&av=1.2.7&cv=23&d=4b22c8d55aadcc6f&lang=en&p=me.tito.unlocker&region=US&v=0&vc=50	unknown	text	253 b	unknown
2847	app_process64	GET	200	107.148.236.156:443	https://360mixup.com/feature/config?api_version=1&app_id=53acdd351da24a600000242d50cf1f9f&app_version=2.3&device_code=4b22c8d55aadcc6f&lang=en&platform=2&region=US&version_code=23	unknown	text	509 b	unknown
1756	app_process64	POST	200	142.251.168.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain	unknown	binary	778 b	whitelisted
1756	app_process64	POST	200	142.251.168.81:443	https://staging-remoteprovisioning.sandbox.googleapis.com/v1:signCertificates?challenge=AAABnIyIXIsBILStY3SXO3_uYnBqi_7J5beAEEE=&request_id=5f15c90c-e72b-49c2-a320-4d1bc2a4884b	unknown	binary	11.8 Kb	whitelisted
2971	app_process32	GET	200	216.58.206.35:443	https://clientservices.googleapis.com/chrome-variations/seed?osname=android_webview&milestone=137	unknown	compressed	13.6 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
443	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.251.127.99:80	www.google.com	GOOGLE	US	whitelisted
—	—	142.251.127.105:443	www.google.com	GOOGLE	US	whitelisted
—	—	142.251.140.163:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
2847	app_process64	104.19.31.141:443	—	CLOUDFLARENET	US	whitelisted
2847	app_process64	172.64.203.72:443	—	CLOUDFLARENET	US	whitelisted
2847	app_process64	172.64.197.29:443	—	CLOUDFLARENET	US	whitelisted
2847	app_process64	162.159.38.227:443	—	CLOUDFLARENET	US	whitelisted
2847	app_process64	104.19.82.128:443	—	CLOUDFLARENET	US	whitelisted
2847	app_process64	162.159.243.215:443	—	CLOUDFLARENET	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	172.217.168.78	whitelisted
www.google.com	142.251.127.103 142.251.127.105 142.251.127.104 142.251.127.106 142.251.127.99 142.251.127.147	whitelisted
log-report.com	188.114.97.3 188.114.96.3	whitelisted
strongwill100.com	172.247.0.106	unknown
360mixup.com	107.148.236.156	unknown
connectivitycheck.gstatic.com	142.251.140.163	whitelisted
time.android.com	216.239.35.8 216.239.35.4 216.239.35.0 216.239.35.12	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	142.251.168.81	whitelisted
clientservices.googleapis.com	216.58.206.35	whitelisted
update.googleapis.com	142.250.201.163	whitelisted

Threats

PID	Process	Class	Message
822	app_process64	Misc activity	ET INFO Android Device Connectivity Check
2847	app_process64	Potential Corporate Privacy Violation	ET INFO Android Dalvik Executable File Download
3216	app_process64	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3216	app_process64	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3216	app_process64	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
3216	app_process64	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
339	netd	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
3216	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Request to load WebAssembly module

Add for printing

No debug info

General Info

Unlock-r-MOD-1.2.7-MODBIBO.apk

18108C4E94B57C6A2E5086EE002112F5

138E54BA66DE1D076CF21183038E709E6D571267

A69A34A045C93669C9072DDBCC73DE6908A4FD163622731395C9DCCFCFF9FC25

98304:dFfg1SCpck885HA6lBhyVBQwa21lsmAz+ZAVIWHrYWglOBe2LjCIPgoR1q5zUt+o:zc1ECRM9OfuqESkY

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Executes dynamic code using class loader

Updates data in the storage of application settings (SharedPreferences)

Accesses system-level resources

Collects data about the device's environment (JVM version)

Establishing a connection

Uses encryption API functions

Retrieves Android OS build information

Retrieves the MCC and MNC of the SIM card operator

Potential Corporate Privacy Violation

Accesses external device storage files

Launches a new activity

INFO

Dynamically inspects or modifies classes, methods, and fields at runtime

Dynamically registers broadcast event listeners

Gets the display metrics associated with the device's screen

Retrieves data from storage of application settings (SharedPreferences)

Retrieves the value of a secure system setting

Dynamically loads a class in Java

Stores data using SQLite database

Returns elapsed time since boot

Verifies whether the device is connected to the internet

Drops script file

Gets file name without full path

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings