Malware analysis util.apk Malicious activity | ANY.RUN

Add for printing

File name:	util.apk
Full analysis:	https://app.any.run/tasks/e7b72552-98c2-4302-8b3e-e6b4086c10ec
Verdict:	Malicious activity
Analysis date:	September 17, 2025, 20:09:33
OS:	Android 14
MIME:	application/vnd.android.package-archive
File info:	Android package (APK), with zipflinger virtual entry
MD5:	D79DE26932A230A00C852CAFE079B4CC
SHA1:	46AFD7DA7F5B40E3A45DA7D2B55E41C4F2E0526A
SHA256:	C5B66D381050D0122171BE80D52A64D2EAFB9BA7108C73821CA0E7D9E4D150CF
SSDEEP:	98304:P2+vmSQP1zwnmj7IX/Fc7h5gU9hDsD5bSJott5YK83/yr6it8Hldz8J6imnUXhHd:4zpLuAQ95+b8onhhbR4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
- Checks whether the screen is currently on
  - app_process64 (PID: 2798)
SUSPICIOUS
- Accesses external device storage files
  - app_process64 (PID: 2798)
- Monitors and intercepts incoming messages
  - app_process64 (PID: 2798)
- Accesses system-level resources
  - app_process64 (PID: 2798)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 2798)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 2798)
- Abuses foreground service for persistence
  - app_process64 (PID: 2798)
- Collects nearby Wi-Fi network information
  - app_process64 (PID: 2798)
INFO
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 2798)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 2798)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 2798)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 2798)
- Creates and writes local files
  - app_process64 (PID: 2798)
- Verifies presence of SIM card
  - app_process64 (PID: 2798)
- Retrieves the value of a secure system setting
  - app_process64 (PID: 2798)
- Dynamically loads a class in Java
  - app_process64 (PID: 2798)
- Detects device power status
  - app_process64 (PID: 2798)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 2798)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.apk	\|	Android Package (73.9)
.jar	\|	Java Archive (20.4)
.zip	\|	ZIP compressed archive (5.6)

EXIF

ZIP

ZipRequiredVersion:	-
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	1981:01:01 01:01:02
ZipCRC:	0xe91e1b7c
ZipCompressedSize:	900
ZipUncompressedSize:	1532
ZipFileName:	classes9.dex

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

130

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2798	com.gyh.er.util	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2878	crash_dump64 2863 2877 4	/apex/com.android.runtime/bin/crash_dump64	—	app_process64
User: u0_a104 Integrity Level: UNKNOWN Exit code: 0
2879	crash_dump64 2863 2877 4	/apex/com.android.runtime/bin/crash_dump64	—	crash_dump64
User: u0_a104 Integrity Level: UNKNOWN Exit code: 0
2882	com.android.rkpdapp	/system/bin/app_process64	—	app_process64
User: u0_a104 Integrity Level: UNKNOWN Exit code: 0
2884	com.android.rkpdapp	/system/bin/app_process64	—	app_process64
User: u0_a104 Integrity Level: UNKNOWN Exit code: 0
2908	<pre-initialized>	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2798	app_process64	/data/data/com.gyh.er.util/shared_prefs/crashrecord.xml		xml
		MD5:—	SHA256:—
2798	app_process64	/data/data/com.gyh.er.util/app_crashrecord/1004		binary
		MD5:—	SHA256:—
2798	app_process64	/data/data/com.gyh.er.util/files/bugly_last_us_up_tm		text
		MD5:—	SHA256:—
2798	app_process64	/data/data/com.gyh.er.util/shared_prefs/BUGLY_COMMON_VALUES.xml		xml
		MD5:—	SHA256:—
2798	app_process64	/storage/emulated/0/Android/data/com.gyh.er.util/files/log/util_2025_09_17_com.gyh.er.util.txt		text
		MD5:—	SHA256:—
2798	app_process64	/data/data/com.gyh.er.util/shared_prefs/Utils.xml		xml
		MD5:—	SHA256:—
2798	app_process64	/data/data/com.gyh.er.util/shared_prefs/spUtils.xml		xml
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
831	app_process64	GET	204	142.250.184.227:80	http://connectivitycheck.gstatic.com/generate_204	unknown	—	—	whitelisted
—	—	GET	204	142.250.186.36:80	http://www.google.com/gen_204	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
446	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.250.186.36:80	www.google.com	GOOGLE	US	whitelisted
—	—	142.250.184.227:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
—	—	142.250.186.36:443	www.google.com	GOOGLE	US	whitelisted
574	app_process64	216.239.35.4:123	time.android.com	—	—	unknown
831	app_process64	142.250.184.227:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
831	app_process64	142.250.186.36:443	www.google.com	GOOGLE	US	whitelisted
1711	app_process64	64.233.167.81:443	staging-remoteprovisioning.sandbox.googleapis.com	GOOGLE	US	whitelisted
2798	app_process64	14.22.7.199:443	android.bugly.qq.com	Chinanet	CN	unknown
2908	app_process64	64.233.167.81:443	staging-remoteprovisioning.sandbox.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
www.google.com	142.250.186.36	whitelisted
google.com	142.250.184.206	whitelisted
time.android.com	216.239.35.4 216.239.35.12 216.239.35.0 216.239.35.8	unknown
connectivitycheck.gstatic.com	142.250.184.227	whitelisted
staging-remoteprovisioning.sandbox.googleapis.com	64.233.167.81	whitelisted
android.bugly.qq.com	14.22.7.199 14.22.7.140 119.147.179.152	unknown
app.kainder.xyz	47.236.69.217 8.219.255.200	unknown

Threats

PID	Process	Class	Message
831	app_process64	Misc activity	ET INFO Android Device Connectivity Check

Add for printing

No debug info

General Info

util.apk

D79DE26932A230A00C852CAFE079B4CC

46AFD7DA7F5B40E3A45DA7D2B55E41C4F2E0526A

C5B66D381050D0122171BE80D52A64D2EAFB9BA7108C73821CA0E7D9E4D150CF

98304:P2+vmSQP1zwnmj7IX/Fc7h5gU9hDsD5bSJott5YK83/yr6it8Hldz8J6imnUXhHd:4zpLuAQ95+b8onhhbR4

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Checks whether the screen is currently on

SUSPICIOUS

Accesses external device storage files

Monitors and intercepts incoming messages

Accesses system-level resources

Collects data about the device's environment (JVM version)

Updates data in the storage of application settings (SharedPreferences)

Abuses foreground service for persistence

Collects nearby Wi-Fi network information

INFO

Dynamically registers broadcast event listeners

Retrieves data from storage of application settings (SharedPreferences)

Gets the display metrics associated with the device's screen

Dynamically inspects or modifies classes, methods, and fields at runtime

Creates and writes local files

Verifies presence of SIM card

Retrieves the value of a secure system setting

Dynamically loads a class in Java

Detects device power status

Verifies whether the device is connected to the internet

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings