Technical information
Malicious functions:
Executes code of the following detected threats:
- Android.Backdoor.961.origin
Network activity:
Connects to:
- UDP(DNS) <Google DNS>
- TCP(HTTP/1.1) www.appp####.xyz:443
DNS requests:
- www.appp####.xyz
HTTP GET requests:
- www.appp####.xyz:443/socket.io/?apkAccountBindId=####&EIO=####&transport...
- www.appp####.xyz:443/stream/socket.io/?apkAccountBindId=####&directAndro...
File system changes:
Creates the following files:
- /data/data/####/2026-06-27.jsonl
- /data/data/####/android_4a50e5962e5c3cb748878d52_1782544238570.jsonl
- /data/data/####/androidx.work.workdb-journal
- /data/data/####/androidx.work.workdb-wal
- /data/data/####/androidx.work.workdb.lck
- /data/data/####/keepalive_process_diagnostics.xml
- /data/data/####/keyboard_allowlist_store.xml
- /data/data/####/latest_permission_diagnostic.json.tmp
- /data/data/####/libc++_shared.so
- /data/data/####/libepicwrap.so
- /data/data/####/monitor_db-journal
- /data/data/####/monitor_db-wal
- /data/data/####/monitor_db.lck
- /data/data/####/o.apk
- /data/data/####/p_dex
- /data/data/####/permission_diagnostics.xml
- /data/data/####/profileInstalled
- /data/data/####/profileinstaller_profileWrittenFor_lastUpdateTime.dat
- /data/data/####/remote_control_prefs.xml
- /data/misc/####/primary.prof
- /data/user_de/####/remote_control_direct_boot.xml
- /databases/monitor_db
- /databases/monitor_db-shm
- /databases/monitor_db-wal
- /no_backup/androidx.work.workdb
- /no_backup/androidx.work.workdb-shm
- /no_backup/androidx.work.workdb-wal
Miscellaneous:
Loads the following dynamic libraries:
- libEPIC
- libepicwrap
- libnativeloader
Gets information about installed apps.
Displays its own windows over windows of other apps.
Requests the system alert window permission.
Appears corrupted in a way typical for malicious files.
