File name:

WhatsAppPlus-202507041853-R52686252.apk

Full analysis: https://app.any.run/tasks/b33bfc64-4d24-4e82-bdfc-422864f6a6d1
Verdict: Malicious activity
Analysis date: July 13, 2025, 09:55:52
OS: Android 14
Tags:
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

C71D27219F7F91EFEB573AEC6F25188E

SHA1:

890B1FE444DD86945A73DE6D2D1B9801B68C3A44

SHA256:

C4CB4BCBD1BF27A7949F00680FE9B2BD15A109CCD1178DDDE8622BF49E7164EB

SSDEEP:

393216:4ePBhe16mYTUTATxY5lrG06lsdZU+gbWgumYFjEJLGpG739PXnBX+bp1c:4Kq7YYTGGrvzdy+O+jEv3tXBObrc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes system commands or scripts

      • app_process64 (PID: 2320)

    • Checks whether the screen is currently on

      • app_process64 (PID: 2320)

  • SUSPICIOUS

    • Scans for popular installed apps

      • app_process64 (PID: 2320)

    • Acquires a wake lock to keep the device awake

      • app_process64 (PID: 2320)

    • Returns the unique device identifier (IMEI or MEID)

      • app_process64 (PID: 2320)

    • Retrieves the file path to the APK

      • app_process64 (PID: 2320)

    • Accesses system-level resources

      • app_process64 (PID: 2320)

    • Accesses memory information

      • app_process64 (PID: 2320)

    • Creates a WakeLock to manage power state

      • app_process64 (PID: 2320)

    • Collects data about the device's environment (JVM version)

      • app_process64 (PID: 2320)

    • Uses encryption API functions

      • app_process64 (PID: 2320)

    • Accesses external device storage files

      • app_process64 (PID: 2320)

    • Establishing a connection

      • app_process64 (PID: 2320)

    • Updates data in the storage of application settings (SharedPreferences)

      • app_process64 (PID: 2320)

    • Retrieves the ISO country code of the current network

      • app_process64 (PID: 2320)

    • Launches a new activity

      • app_process64 (PID: 2320)

    • Overlays content on other applications

      • app_process64 (PID: 2320)

    • Retrieves the ISO country code of the current SIM card

      • app_process64 (PID: 2320)

    • Retrieves a list of running application processes

      • app_process64 (PID: 2320)

    • Starts a service

      • app_process64 (PID: 2320)

    • Checks if the device's lock screen is showing

      • app_process64 (PID: 2320)

    • Detects when screen powers off

      • app_process64 (PID: 2320)

    • Checks for external IP

      • netd (PID: 339)
      • app_process64 (PID: 2320)

    • Checks if ADB is enabled

      • app_process64 (PID: 2320)

    • Retrieves subscriber identification from SIM (IMSI)

      • app_process64 (PID: 2320)

  • INFO

    • Returns elapsed time since boot

      • app_process64 (PID: 2320)

    • Dynamically inspects or modifies classes, methods, and fields at runtime

      • app_process64 (PID: 2320)

    • Dynamically loads a class in Java

      • app_process64 (PID: 2320)

    • Loads a native library into the application

      • app_process64 (PID: 2320)

    • Stores data using SQLite database

      • app_process64 (PID: 2320)

    • Retrieves data from storage of application settings (SharedPreferences)

      • app_process64 (PID: 2320)

    • Retrieves the value of a secure system setting

      • app_process64 (PID: 2320)

    • Gets file name without full path

      • app_process64 (PID: 2320)

    • Gets the display metrics associated with the device's screen

      • app_process64 (PID: 2320)

    • Handles throwable exceptions in the app

      • app_process64 (PID: 2320)

    • Dynamically registers broadcast event listeners

      • app_process64 (PID: 2320)

    • Verifies whether the device is connected to the internet

      • app_process64 (PID: 2320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.apk | Android Package (73.9)
.jar | Java Archive (20.4)
.zip | ZIP compressed archive (5.6)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: 0x0800
ZipCompression: None
ZipModifyDate: 1981:01:01 01:01:02
ZipCRC: 0xa8701ad9
ZipCompressedSize: 6
ZipUncompressedSize: 6
ZipFileName: META-INF/androidx.compose.ui_ui.version
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
13
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start app_process64 toolbox no specs toolbox no specs toolbox no specs toolbox no specs toolbox no specs dmesgd no specs toolbox no specs toybox no specs netd app_process64 app_process64 no specs app_process64

Process information

PID
CMD
Path
Indicators
Parent process
339/system/bin/netd/system/bin/netd
init
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2320com.wpmessenger.site /system/bin/app_process64
app_process64
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
2360getprop/system/bin/toolboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2410getprop init.svc.adbd/system/bin/toolboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2414getprop ro.board.platform/system/bin/toolboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2419getprop init.svc.adbd/system/bin/toolboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2423getprop sys.usb.config/system/bin/toolboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2425/system/bin/dmesgd/system/bin/dmesgdinit
User:
dmesgd
Integrity Level:
UNKNOWN
Exit code:
0
2426getprop init.svc.wificond/system/bin/toolboxapp_process64
User:
u0_a108
Integrity Level:
UNKNOWN
Exit code:
0
2427dmesg/system/bin/toyboxdmesgd
User:
dmesgd
Integrity Level:
UNKNOWN
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
133
Text files
74
Unknown types
0

Dropped files

PID
Process
Filename
Type
2320app_process64/data/data/com.wpmessenger.site/files/xsznrjebcompressed
MD5:
SHA256:
2320app_process64/data/data/com.wpmessenger.site/cache/oat_primary/arm64/base.2320.tmpbinary
MD5:
SHA256:
2320app_process64/data/data/com.wpmessenger.site/code_cache/libytwa.sobinary
MD5:
SHA256:
2320app_process64/data/data/com.wpmessenger.site/code_cache/libsls_producer.sobinary
MD5:
SHA256:
2320app_process64/data/data/com.wpmessenger.site/code_cache/libmmkv.sobinary
MD5:
SHA256:
2320app_process64/data/data/com.wpmessenger.site/code_cache/libnmsl.sobinary
MD5:
SHA256:
2320app_process64/data/data/com.wpmessenger.site/code_cache/1752400598187.dexbinary
MD5:
SHA256:
2320app_process64/data/data/com.wpmessenger.site/shared_prefs/__s_uuid.xmlxml
MD5:
SHA256:
2360toolbox/data/data/com.wpmessenger.site/files/Logs/whatsapp.logtext
MD5:
SHA256:
2320app_process64/data/data/com.wpmessenger.site/shared_prefs/FirebaseHeartBeatW0RFRkFVTFRd+MToyOTM5NTU0NDE4MzQ6YW5kcm9pZDo3MzczYTJkMGJkZmEzMjI4.xmlxml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
51
DNS requests
27
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
142.250.186.132:80
http://www.google.com/gen_204
US
whitelisted
GET
204
216.58.206.67:80
http://connectivitycheck.gstatic.com/generate_204
US
whitelisted
GET
204
216.58.206.67:80
http://connectivitycheck.gstatic.com/generate_204
US
whitelisted
POST
200
142.250.27.81:443
https://staging-remoteprovisioning.sandbox.googleapis.com/v1:fetchEekChain
US
binary
699 b
whitelisted
GET
200
157.240.0.60:443
https://www.whatsapp.com/.well-known/assetlinks.json
US
text
1.93 Kb
whitelisted
GET
200
157.240.0.60:443
https://api.whatsapp.com/.well-known/assetlinks.json
US
text
1.25 Kb
whitelisted
GET
200
157.240.0.60:443
https://call.whatsapp.com/.well-known/assetlinks.json
US
text
1.25 Kb
whitelisted
GET
200
157.240.0.60:443
https://chat.whatsapp.com/.well-known/assetlinks.json
US
text
1.25 Kb
whitelisted
GET
200
157.240.0.60:443
https://whatsapp.com/.well-known/assetlinks.json
US
text
1.93 Kb
whitelisted
GET
200
157.240.0.60:443
https://wa.me/.well-known/assetlinks.json
US
text
1.25 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
445
mdnsd
224.0.0.251:5353
unknown
216.58.206.67:80
connectivitycheck.gstatic.com
GOOGLE
US
whitelisted
216.58.206.68:443
www.google.com
GOOGLE
US
whitelisted
142.250.186.132:80
www.google.com
GOOGLE
US
whitelisted
142.250.186.132:443
www.google.com
GOOGLE
US
whitelisted
216.239.35.12:123
time.android.com
whitelisted
142.250.27.81:443
staging-remoteprovisioning.sandbox.googleapis.com
GOOGLE
US
whitelisted
216.239.35.0:123
time.android.com
whitelisted
574
app_process64
216.239.35.4:123
time.android.com
whitelisted
1793
app_process64
157.240.0.60:443
www.whatsapp.com
FACEBOOK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 216.58.206.68
  • 142.250.186.132
whitelisted
connectivitycheck.gstatic.com
  • 216.58.206.67
whitelisted
google.com
  • 172.217.16.142
whitelisted
time.android.com
  • 216.239.35.12
  • 216.239.35.0
  • 216.239.35.4
  • 216.239.35.8
whitelisted
staging-remoteprovisioning.sandbox.googleapis.com
  • 142.250.27.81
whitelisted
www.whatsapp.com
  • 157.240.0.60
whitelisted
call.whatsapp.com
  • 157.240.0.60
whitelisted
api.whatsapp.com
  • 157.240.0.60
whitelisted
chat.whatsapp.com
  • 157.240.0.60
whitelisted
whatsapp.com
  • 157.240.0.60
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Android Device Connectivity Check
Misc activity
ET INFO Android Device Connectivity Check
339
netd
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
2320
app_process64
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
339
netd
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
2320
app_process64
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
2320
app_process64
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
339
netd
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WhatsAppPlus-202507041853-R52686252.apk