Analysis Overview
SHA256
eab1569e2421840c7777703ef81e3e2341e83963285ad4d4399fae920e18feb8
Threat Level: Likely malicious
The file outline.apk was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Obtains sensitive information copied to the device clipboard
Checks CPU information
Checks memory information
Declares services with permission to bind to the system
Checks the presence of a debugger
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-23 12:02
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by VPN services to bind with the system. Allows apps to provision VPN services. | android.permission.BIND_VPN_SERVICE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 12:02
Reported
2024-05-23 12:08
Platform
android-x86-arm-20240514-en
Max time kernel
19s
Max time network
131s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks the presence of a debugger
Processes
org.outline.android.client
org.outline.android.client:vpn
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.3:443 | tcp | |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 12:02
Reported
2024-05-23 12:08
Platform
android-33-x64-arm64-20240514-en
Max time kernel
51s
Max time network
132s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/bin/su | N/A | N/A |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /data/local/bin/su | N/A | N/A |
| N/A | /data/local/su | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
| N/A | /system/app/Superuser.apk | N/A | N/A |
| N/A | /data/local/bin/su | N/A | N/A |
| N/A | /data/local/xbin/su | N/A | N/A |
| N/A | /system/bin/failsafe/su | N/A | N/A |
| N/A | /data/local/su | N/A | N/A |
| N/A | /data/local/xbin/su | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
| N/A | /system/bin/failsafe/su | N/A | N/A |
| N/A | /system/bin/su | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Checks the presence of a debugger
Processes
org.outline.android.client
org.outline.android.client:vpn
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.228:443 | udp | |
| GB | 142.250.187.228:443 | udp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| GB | 142.250.200.10:443 | remoteprovisioning.googleapis.com | tcp |
| US | 1.1.1.1:53 | gmscompliance-pa.googleapis.com | udp |
| GB | 216.58.201.106:443 | gmscompliance-pa.googleapis.com | tcp |
| GB | 142.250.200.14:443 | udp | |
| GB | 142.250.200.14:443 | tcp | |
| GB | 142.250.200.14:443 | tcp | |
| GB | 216.58.204.67:443 | tcp | |
| GB | 216.58.204.74:443 | gmscompliance-pa.googleapis.com | udp |
| GB | 216.58.204.74:443 | gmscompliance-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | o74047.ingest.sentry.io | udp |
| US | 34.120.195.249:443 | o74047.ingest.sentry.io | tcp |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | udp | |
| GB | 216.58.213.3:443 | tcp | |
| GB | 216.58.213.3:443 | udp | |
| GB | 142.250.187.228:443 | udp | |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.179.228:443 | udp | |
| GB | 142.250.179.228:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | udp |