Malware analysis https://aeroinsta.tr.uptodown.com/android/dw Malicious activity

Add for printing

URL:	https://aeroinsta.tr.uptodown.com/android/dw
Full analysis:	https://app.any.run/tasks/f510da7f-a4a0-40de-8b58-6301bb5688d8
Verdict:	Malicious activity
Analysis date:	April 05, 2026, 19:48:27
OS:	Android 14
Indicators:
MD5:	522F08773B1F63E83A73606C19E69E00
SHA1:	B649497AD41522712CE16B19974A863B3114DBCB
SHA256:	D99233EA9CDFB94A6903BE69DA09EFE8EC8D7965AEDFF5914E192195AB101101
SSDEEP:	3:N8OMXPbd3E1HBZn:2OI3ExBZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

android (14)
android.cuttlefish.overlay (14)
android.cuttlefish.phone.overlay (14)
android.ext.services (2019-09)
android.ext.shared (1)
com.android.adservices.api (14)
com.android.apps.tag (1.1)
com.android.backupconfirm (14)
com.android.bips (14)
com.android.bluetoothmidiservice (14)
com.android.bookmarkprovider (14)
com.android.calendar (14)
com.android.calllogbackup (14)
com.android.camera2 (2.0.002)
com.android.cameraextensions (14)
com.android.captiveportallogin (14)
com.android.carrierconfig (1.0.0)
com.android.carrierdefaultapp (14)
com.android.cellbroadcastreceiver (R-initial)
com.android.cellbroadcastreceiver.module (R-initial)
com.android.cellbroadcastservice (R-initial)
com.android.certinstaller (14)
com.android.companiondevicemanager (14)
com.android.compos.payload (14)
com.android.connectivity.resources (S-initial)
com.android.connectivity.resources.cuttlefish.overlay (14)
com.android.contacts (1.7.34)
com.android.credentialmanager (14)
com.android.cts.ctsshim (14-10093150)
com.android.cts.priv.ctsshim (14-10093150)
com.android.deskclock (14)
com.android.devicelockcontroller (14)
com.android.dialer (23.0)
com.android.documentsui (14)
com.android.dreams.basic (14)
com.android.dreams.phototable (14)
com.android.dynsystem (14)
com.android.egg (1.0)
com.android.emergency (14)
com.android.ext.adservices.api (14)
com.android.externalstorage (14)
com.android.federatedcompute.services (T-initial)
com.android.gallery3d (1.1.40030)
com.android.google.gce.gceservice (14)
com.android.health.connect.backuprestore (14)
com.android.healthconnect.controller (14)
com.android.hotspot2.osulogin (14)
com.android.htmlviewer (14)
com.android.imsserviceentitlement (14)
com.android.inputdevices (14)
com.android.inputmethod.latin (14)
com.android.intentresolver (2021-11)
com.android.internal.display.cutout.emulation.corner (1.0)
com.android.internal.display.cutout.emulation.double (1.0)
com.android.internal.display.cutout.emulation.hole (1.0)
com.android.internal.display.cutout.emulation.tall (1.0)
com.android.internal.display.cutout.emulation.waterfall (1.0)
com.android.internal.systemui.navbar.gestural (1.0)
com.android.internal.systemui.navbar.gestural_extra_wide_back (1.0)
com.android.internal.systemui.navbar.gestural_narrow_back (1.0)
com.android.internal.systemui.navbar.gestural_wide_back (1.0)
com.android.internal.systemui.navbar.threebutton (1.0)
com.android.internal.systemui.navbar.transparent (1.0)
com.android.keychain (14)
com.android.launcher3 (14)
com.android.localtransport (14)
com.android.location.fused (14)
com.android.managedprovisioning (14)
com.android.messaging (1.0.001)
com.android.microdroid.empty_payload (14)
com.android.mms.service (14)
com.android.modulemetadata (14)
com.android.mtp (14)
com.android.music (14)
com.android.musicfx (1.4)
com.android.nearby.halfsheet (14)
com.android.networkstack (14)
com.android.networkstack.tethering (14)
com.android.networkstack.tethering.cuttlefishoverlay (1.0)
com.android.nfc (14)
com.android.ondevicepersonalization.services (T-initial)
com.android.ons (14)
com.android.packageinstaller (14)
com.android.pacprocessor (14)
com.android.permissioncontroller (33 system image)
com.android.phone (14)
com.android.printservice.recommendation (1.3.0)
com.android.printspooler (14)
com.android.providers.blockednumber (14)
com.android.providers.calendar (14)
com.android.providers.contacts (14)
com.android.providers.downloads (14)
com.android.providers.downloads.ui (14)
com.android.providers.media (14)
com.android.providers.media.module (14)
com.android.providers.partnerbookmarks (14)
com.android.providers.settings (14)
com.android.providers.settings.cuttlefish.overlay (14)
com.android.providers.telephony (14)
com.android.providers.userdictionary (14)
com.android.provision (14)
com.android.proxyhandler (14)
com.android.quicksearchbox (14)
com.android.rkpdapp (14)
com.android.role.notes.enabled (1.0)
com.android.safetycenter.resources (33 system image)
com.android.sdksandbox (T-initial)
com.android.se (14)
com.android.server.telecom (14)
com.android.settings (14)
com.android.settings.intelligence (14)
com.android.sharedstoragebackup (14)
com.android.shell (14)
com.android.simappdialog (14)
com.android.soundpicker (14)
com.android.statementservice (1.0)
com.android.stk (14)
com.android.storagemanager (14)
com.android.systemui (14)
com.android.systemui.accessibility.accessibilitymenu (14)
com.android.telephony.qns (14)
com.android.theme.font.notoserifsource (1.0)
com.android.traceur (1.0)
com.android.uwb.resources (T-initial)
com.android.virtualmachine.res (14)
com.android.vpndialogs (14)
com.android.wallpaper.livepicker (14)
com.android.wallpaperbackup (14)
com.android.wallpapercropper (14)
com.android.wallpaperpicker (1.0)
com.android.webview (137.0.7122.0)
com.android.wifi.dialog (14)
com.android.wifi.resources (R-initial)
com.android.wifi.resources.cf (1.0)
com.google.android.telephony.satellite (14)
org.chromium.chrome (137.0.7122.0)

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Retrieves a list of running application processes
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Collects data about the device's environment (JVM version)
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Accesses system-level resources
  - app_process64 (PID: 3452)
- Establishing a connection
  - app_process64 (PID: 3452)
- Retrieves Android OS build information
  - app_process64 (PID: 3452)
- Accesses external device storage files
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Scans for popular installed apps
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Retrieves the ISO country code of the current SIM card
  - app_process64 (PID: 3452)
- Accesses memory information
  - app_process64 (PID: 3452)
- Updates data in the storage of application settings (SharedPreferences)
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Launches a new activity
  - app_process64 (PID: 3452)
- Returns the name of the current network operator
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Starts a service
  - app_process64 (PID: 3452)
- Gets data of saved accounts
  - app_process64 (PID: 3452)
INFO
- Returns elapsed time since boot
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Dynamically inspects or modifies classes, methods, and fields at runtime
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Gets file name without full path
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Loads a native library into the application
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Retrieves data from storage of application settings (SharedPreferences)
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Retrieves CPU core information
  - app_process64 (PID: 3452)
- Retrieves the value of a secure system setting
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Verifies whether the device is connected to the internet
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Detects device power status
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Dynamically registers broadcast event listeners
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Gets the display metrics associated with the device's screen
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Listens for connection changes
  - app_process64 (PID: 3452)
  - app_process64 (PID: 3668)
- Creates and writes local files
  - app_process64 (PID: 3668)
- Listens for changes in sensors
  - app_process64 (PID: 3452)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

155

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2786	org.chromium.chrome	/system/bin/app_process64		app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2844	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2868	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
2885	org.chromium.chrome:privileged_process0	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2904	com.android.adservices.api	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
2968	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 9
2989	com.android.providers.partnerbookmarks	/system/bin/app_process64	—	app_process64
User: root Integrity Level: UNKNOWN Exit code: 0
3060	org.chromium.chrome_zygote	/system/bin/app_process64	—	app_process64
User: u0_a72 Integrity Level: UNKNOWN Exit code: 0
3087	/system/bin/dmesgd	/system/bin/dmesgd	—	init
User: dmesgd Integrity Level: UNKNOWN Exit code: 0
3088	dmesg	/system/bin/toybox	—	dmesgd
User: dmesgd Integrity Level: UNKNOWN Exit code: 0

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

430

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3180	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.Uj251c/list.pb		binary
		MD5:—	SHA256:—
3180	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.Uj251c/manifest.json		text
		MD5:—	SHA256:—
3180	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.Uj251c/LICENSE		text
		MD5:—	SHA256:—
3180	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.Uj251c/_metadata/verified_contents.json		text
		MD5:—	SHA256:—
3180	app_process64	/data/data/org.chromium.chrome/app_chrome/component_crx_cache/cab4d1f0a6a2a1afecae808a520f6690dd2b9d58bf54762877f2dc9715d55461		binary
		MD5:—	SHA256:—
3199	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.j1sBhX/privacy-sandbox-attestations.dat		binary
		MD5:—	SHA256:—
3199	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.j1sBhX/manifest.json		text
		MD5:—	SHA256:—
3199	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.j1sBhX/_metadata/verified_contents.json		text
		MD5:—	SHA256:—
3199	app_process64	/data/data/org.chromium.chrome/app_chrome/component_crx_cache/38c89b12bb20a8f2751c9c7cd2e31c173a47af08c115e1ecccc2f5151a2cf2c6		binary
		MD5:—	SHA256:—
3218	app_process64	/data/data/org.chromium.chrome/cache/.org.chromium.Chromium.tUVy4X/decoded_xz		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

109

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2786	app_process64	GET	200	151.101.195.52:443	https://aeroinsta.tr.uptodown.com/android/dw	US	html	142 Kb	unknown
2786	app_process64	GET	200	142.251.36.110:80	http://clients2.google.com/time/1/current?cup2key=9:DOfRElODUK7fH_w0sNwLBVQb38N8TiYmevLk5OYXeCw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	107 b	whitelisted
2786	app_process64	GET	200	151.101.195.52:443	https://img.utdstc.com/icon/4f0/532/4f053275616b7dcc22af6231bbe27135989343f4366caa515c87d8d2e4675b13:100	US	image	6.38 Kb	unknown
2786	app_process64	GET	200	216.58.206.72:443	https://www.googletagmanager.com/gtag/js?id=G-DW5XRK7GYT	US	text	473 Kb	whitelisted
2786	app_process64	GET	200	142.251.141.142:443	https://fundingchoicesmessages.google.com/i/pub-0337387298854186?ers=1	US	text	217 Kb	whitelisted
2786	app_process64	GET	200	142.251.141.142:443	https://fundingchoicesmessages.google.com/f/AGSKWxXosSA0sn8QV0luAjbXXZsvfA-kwJrjWdkK9szv1e0UWP6P0cU8oFIu6-I_n0cBA4abY9M_u7xcs8fM6aydlF-ajliqG1xolQ9-4g4SNZlY1t56GFAGHirQ_n8gnKd4TEy2XgPIhg==?fccs=W251bGwsbnVsbCxudWxsLG51bGwsbnVsbCxudWxsLFsxNzc1NDE4NTE3LDY3ODAwMDAwMF0sbnVsbCxudWxsLG51bGwsW251bGwsWzddXSwiaHR0cHM6Ly9hZXJvaW5zdGEudHIudXB0b2Rvd24uY29tL2FuZHJvaWQvZHciLG51bGwsW1s4LCI5Y2JGaDB1czlOYyJdLFs5LCJlbi1VUyJdLFsxNiwiWzAsMCwwXSJdLFszNSwiMTc3NTQxODUxNyJdLFsxOSwiMiJdLFsxNywiWzBdIl0sWzI0LCIiXSxbMjksImZhbHNlIl1dXQ	US	text	2.60 Kb	whitelisted
2786	app_process64	GET	200	151.101.3.52:443	https://stc.utdstc.com/img/svgs/icon-12-hotlink.svg	US	image	902 b	unknown
2786	app_process64	GET	200	151.101.3.52:443	https://stc.utdstc.com/img/svgs/icon-24-turbo2.svg	US	image	992 b	unknown
2786	app_process64	GET	200	151.101.3.52:443	https://stc.utdstc.com/img/svgs/logo-uptodown.svg	US	image	3.51 Kb	unknown
2786	app_process64	GET	200	151.101.195.52:443	https://www.uptodown.com/cookie-pixel.gif	US	image	35 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
443	mdnsd	224.0.0.251:5353	—	—	—	whitelisted
—	—	142.251.155.119:80	www.google.com	GOOGLE	US	whitelisted
—	—	142.251.157.119:443	www.google.com	GOOGLE	US	whitelisted
—	—	142.251.127.94:80	connectivitycheck.gstatic.com	GOOGLE	US	whitelisted
2786	app_process64	142.251.36.110:80	clients2.google.com	GOOGLE	US	whitelisted
2786	app_process64	151.101.195.52:443	aeroinsta.tr.uptodown.com	FASTLY	US	whitelisted
2786	app_process64	142.251.154.119:443	www.google.com	GOOGLE	US	whitelisted
2786	app_process64	142.251.127.84:443	accounts.google.com	GOOGLE	US	whitelisted
2786	app_process64	95.85.19.25:443	geo.cookie-script.com	DIGITALOCEAN-ASN	US	whitelisted
2786	app_process64	104.26.5.120:443	scripts.ssm.codes	CLOUDFLARENET	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.251.13.113 142.251.13.100 142.251.13.139 142.251.13.101 142.251.13.102 142.251.13.138	whitelisted
clients2.google.com	142.251.36.110	whitelisted
aeroinsta.tr.uptodown.com	151.101.195.52 151.101.67.52 151.101.3.52 151.101.131.52	unknown
www.google.com	142.251.154.119 142.251.155.119 142.251.156.119 142.251.157.119 142.251.151.119 142.251.150.119 142.251.152.119 142.251.153.119	whitelisted
accounts.google.com	142.251.127.84	whitelisted
stc.utdstc.com	151.101.195.52 151.101.3.52 151.101.131.52 151.101.67.52	whitelisted
img.utdstc.com	151.101.195.52 151.101.131.52 151.101.67.52 151.101.3.52	whitelisted
geo.cookie-script.com	185.14.184.154 95.85.19.25 188.226.136.4	whitelisted
fundingchoicesmessages.google.com	142.251.141.142	whitelisted
www.googletagmanager.com	216.58.206.72	whitelisted

Threats

PID	Process	Class	Message
2786	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2786	app_process64	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
822	app_process64	Misc activity	ET INFO Android Device Connectivity Check
339	netd	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)

Add for printing

No debug info

General Info

https://aeroinsta.tr.uptodown.com/android/dw

522F08773B1F63E83A73606C19E69E00

B649497AD41522712CE16B19974A863B3114DBCB

D99233EA9CDFB94A6903BE69DA09EFE8EC8D7965AEDFF5914E192195AB101101

3:N8OMXPbd3E1HBZn:2OI3ExBZ

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Retrieves a list of running application processes

Collects data about the device's environment (JVM version)

Accesses system-level resources

Establishing a connection

Retrieves Android OS build information

Accesses external device storage files

Scans for popular installed apps

Retrieves the ISO country code of the current SIM card

Accesses memory information

Updates data in the storage of application settings (SharedPreferences)

Launches a new activity

Returns the name of the current network operator

Starts a service

Gets data of saved accounts

INFO

Returns elapsed time since boot

Dynamically inspects or modifies classes, methods, and fields at runtime

Gets file name without full path

Loads a native library into the application

Retrieves data from storage of application settings (SharedPreferences)

Retrieves CPU core information

Retrieves the value of a secure system setting

Verifies whether the device is connected to the internet

Detects device power status

Dynamically registers broadcast event listeners

Gets the display metrics associated with the device's screen

Listens for connection changes

Creates and writes local files

Listens for changes in sensors

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings