Analysis Overview
SHA256
e732ac95aac2dd92fea28abf70f113aca63995327048b78b3a3afd10366ec5d3
Threat Level: Known bad
The file WhatsApp Business.apk was found to be: Known bad.
Malicious Activity Summary
Android Triada payload
Triada family
Loads dropped Dex/Jar
Queries information about active data network
Declares services with permission to bind to the system
Requests dangerous framework permissions
Acquires the wake lock
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-02 21:28
Signatures
Android Triada payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Triada family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by chooser target services to bind with the system. Allows apps to modify targets that handle user actions. | android.permission.BIND_CHOOSER_TARGET_SERVICE | N/A | N/A |
| Required by remote views services to bind with the system. Allows apps to share and display views across different processes. | android.permission.BIND_REMOTEVIEWS | N/A | N/A |
| Required by telecom connection services to bind with the system. Allows apps to manage phone call aspects such as call setup and notifications. | android.permission.BIND_TELECOM_CONNECTION_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows applications to use exact alarm APIs. | android.permission.SCHEDULE_EXACT_ALARM | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to access any geographic locations persisted in the user's shared collection. | android.permission.ACCESS_MEDIA_LOCATION | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read audio files from external storage. | android.permission.READ_MEDIA_AUDIO | N/A | N/A |
| Allows an application to read image files from external storage. | android.permission.READ_MEDIA_IMAGES | N/A | N/A |
| Allows an application to read video files from external storage. | android.permission.READ_MEDIA_VIDEO | N/A | N/A |
| Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. | android.permission.READ_MEDIA_VISUAL_USER_SELECTED | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Required to be able to advertise and connect to nearby devices via Wi-Fi. | android.permission.NEARBY_WIFI_DEVICES | N/A | N/A |
| Required to be able to discover and pair nearby Bluetooth devices. | android.permission.BLUETOOTH_SCAN | N/A | N/A |
| Required to be able to advertise to nearby Bluetooth devices. | android.permission.BLUETOOTH_ADVERTISE | N/A | N/A |
| Required to be able to connect to paired Bluetooth devices. | android.permission.BLUETOOTH_CONNECT | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-02 21:28
Reported
2025-03-02 21:29
Platform
android-x86-arm-20240910-en
Max time kernel
1s
Max time network
19s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.whatsapp.w4b
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| AU | 1.1.1.1:53 | digitalassetlinks.googleapis.com | udp |
| GB | 142.250.179.234:443 | digitalassetlinks.googleapis.com | tcp |
Files
/data/data/com.whatsapp.w4b/files/Logs/whatsapp.log
| MD5 | 49472313559d3aa52ce377b594980d27 |
| SHA1 | 124ebb3df156209fc7d81ffa34778c7ada30c5be |
| SHA256 | 63891b84fcb0c9a87352df3f27699be6b09a42e5d291eec0d4469c0aaaf9047d |
| SHA512 | df638e34c8b917b23e8ea91b228ee4433c5c7f8413f27f91d9bf51c21d5f05dc001f5b4e46fdc5338c509eb3e1b7f7b7732a24f492b0a6efab2bc27fdc41ccf5 |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal
| MD5 | 56683d77eb6c188e0cc00b4ff845d045 |
| SHA1 | 22e103e3feeb7f2eb7d004d23c3a311ea5fa8ead |
| SHA256 | 849b0f8c0bca07eee9d52d70500577f0b8d285826adbb7b4ead9adad268654b6 |
| SHA512 | f46ed629200e27af90d3db64ed052d85787aa0fc2d32c0345fc86d993eddd8c83903c587422b31ab74c1e42b7a6b4a45ad8247d05dcf3c5ba4956ad7424aebc5 |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-wal
| MD5 | 4059df4a81026d87f6b06e6798bb69dd |
| SHA1 | 1bb7758cd83f2673700d017fb9653fab8d9eacb0 |
| SHA256 | 13323235daf78e6485334dcbe9291004858e776418a78f615be316848f760f68 |
| SHA512 | 17f6d526bae55c4f6b1a6286f27a9b1b3b6c0ea9ba67abe60f926dcdd16aa917da1033995e3947f541dd2ca18f6a5e209ef71bb6a520c04d4e09c99be0c9f65a |
/data/data/com.whatsapp.w4b/files/crash_sentinel
| MD5 | 02df83b6a47fa70f0912572a6ee89bc5 |
| SHA1 | 6a278eed093c687b02f4127a6f8f6b4c4afef286 |
| SHA256 | 07af999053dfa5ae7f406f30cf9f5fab57d370d2ac6641cf7a1ae1187943f54b |
| SHA512 | d3a5ea0201419e82269280b971fdfd9773cba865511142d77ce32f9414390dea4f79acf385e0d681e08c4a0ea39c6322dd02fd9031767ab79dbbb1689a19c795 |
/data/data/com.whatsapp.w4b/files/PersistedInstallation2065137773045395897tmp
| MD5 | 06dc164df12e35c4938cb5e7226c33b9 |
| SHA1 | 766b6536ebd023acec1aa1f3242366a49073ba61 |
| SHA256 | a88b1b95e566d99440f7c303c8171df872f95fe020d15e23642aba7e6b6e0783 |
| SHA512 | cf61cde58a6f4d858c1104248a843f2b2167c144cc63cd0d5fa82877a8db355c75a430ce8d3b454f86d61c67338408e34d5ad52bdfdbeef31033a8f6bd084c80 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-02 21:28
Reported
2025-03-02 21:31
Platform
android-x64-20240910-en
Max time kernel
1s
Max time network
156s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.whatsapp.w4b
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.180.10:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| AU | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.14:443 | android.apis.google.com | tcp |
| AU | 1.1.1.1:53 | digitalassetlinks.googleapis.com | udp |
| GB | 142.250.187.202:443 | digitalassetlinks.googleapis.com | tcp |
| AU | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.213.2:443 | tcp |
Files
/data/data/com.whatsapp.w4b/files/Logs/whatsapp.log
| MD5 | 8eb0db825307a1fdaf9403047f2db501 |
| SHA1 | 7fbde4a0c8768f6ce559f5069603d08199db7694 |
| SHA256 | b8ec9666f0c260047601ed28f4b4bb9ee7b3db308321dd5bd65fa610a6755d20 |
| SHA512 | 1c6d21bee0ca33ffbd9b3ef060b5aba0d95a98ddb12717ab04e5b76f159fd3269f3d9cb3b29efb6b94fbfac9bba35f275f2335864c018bef610fad0c02671ce8 |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal
| MD5 | 6de7890e1be50c9648bbafcb2d43a12d |
| SHA1 | 7d6b7cc94839a928a45ae569e7d8f72df44f0bb7 |
| SHA256 | c30ca41c2f1ef07b35213e59a21b576461447d668871bb5555c44eef1787d373 |
| SHA512 | 0378f3cc37f441a6fd159288da1b230785874de27c39b59bc503406d891556cacc627068308aba66d34383e23ee37ed301bc57115a10eea804c16d39d4e5d432 |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events
| MD5 | ea628e04765adaf4238a5dcdff4bbd51 |
| SHA1 | a801947619ea8c368efe9c006a324dc6339ac60b |
| SHA256 | 885e337c2156e4dbf2176a9677ade50418740532d222ccae5ad4aa371b54c6a4 |
| SHA512 | c0287b0e7b690a7231a37d1745c49f3d861b22aa65dd769ba6a8b5ab9da55443f749957781ee05a405019c39e1be45d37a971b821bffd62a1d5620bc39119abe |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal
| MD5 | 6a04e05ab47564881c93b2d26ee58d17 |
| SHA1 | 425c4598e31976801240387a4f129fa430e96165 |
| SHA256 | ee5668d3b27dde2a8f78e9ff54562d0a5c6dd7122a17368f7db402aa68cf941b |
| SHA512 | e3564c088668b9895678fe2f5713c20e8e54689ff950453c619f1f0ce1bd7978f71aaeb11d7131fe870965c7dfc12db1624bee43783a40bbb5e05257468fe52b |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal
| MD5 | 2ef72c5495f37ba311cf46bc73968a11 |
| SHA1 | b5d2c442a7102d90793e54dc15bfd0c94f7203ab |
| SHA256 | c893769b8c3423ad2a4a486b84a6e0c27f97c78101225a9acf481cec3d3f1a43 |
| SHA512 | bd84e28abddaa52989bba28af4b9622e541aa2ce20ac34c9e9a0f2f629845ee415e624a8a0ea7c4bc4e4aad994c6124be2eef510363041fdbdf0710bd4dc60f6 |
/data/data/com.whatsapp.w4b/files/PersistedInstallation6343418706531246338tmp
| MD5 | 0c40c00ae5efc1f26aaa182f0a85bd51 |
| SHA1 | 9606570389767451a716d8b6d798b3ff731a8cbf |
| SHA256 | 7bb05fd0cd233cedd07885c36aea5619bbddc2b3f4c86afb11bb4b7080f31876 |
| SHA512 | 73dbae09b91f3adeff9af2c314634c62e5cca5b485b38e8c583ff2ff8e29fe24bcf02b21bdc2bea3080d87d1e397c18e866b56df8a255510671d4b45d697ffa9 |
/data/data/com.whatsapp.w4b/files/crash_sentinel
| MD5 | ca6ff421e87273a0a669431ca4e50b15 |
| SHA1 | 084515c11df37301a07d62dbf556c3e0e8b3e3a4 |
| SHA256 | f5c52efcbf4a2fea45bccf487ac16e30b08ddfdb6b8452ce3cc24f92e8461966 |
| SHA512 | 31bc338ace678efaf53292d2962d7f4123f52a0b52064b0dfc7480e3f0970eb8896806c3f1636d3f19d2bb2e98e46429d9b6d1774f84252dd35b7f8e39170e9f |
Analysis: behavioral3
Detonation Overview
Submitted
2025-03-02 21:28
Reported
2025-03-02 21:31
Platform
android-x64-arm64-20240910-en
Max time kernel
1s
Max time network
151s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.whatsapp.w4b
Network
| Country | Destination | Domain | Proto |
| US | 216.239.34.223:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| AU | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.14:443 | android.apis.google.com | tcp |
| AU | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 142.250.179.238:443 | www.youtube.com | tcp |
| GB | 172.217.169.14:443 | www.youtube.com | tcp |
| AU | 1.1.1.1:53 | digitalassetlinks.googleapis.com | udp |
| GB | 172.217.169.10:443 | digitalassetlinks.googleapis.com | tcp |
| US | 216.239.32.223:443 | tcp | |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| GB | 142.250.179.225:443 | tcp | |
| GB | 142.250.200.33:443 | tcp | |
| US | 216.239.32.223:443 | tcp | |
| US | 216.239.32.223:443 | tcp |
Files
/system_ext/framework/androidx.window.sidecar.jar
| MD5 | bdf3529e80318eb14e53a5bf3720c10d |
| SHA1 | 25c9ace4b1af6e80ebb2572345972c56505969ba |
| SHA256 | bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b |
| SHA512 | 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b |
/data/data/com.whatsapp.w4b/files/Logs/whatsapp.log
| MD5 | b7444c3f16325bf045f57e098aa1d305 |
| SHA1 | 4e2dbf41cb2fd93c8698779894f1f49421290058 |
| SHA256 | 23e8fcf27249d4a3ad24ab29e32359d016191fe62190b1523d85f0291cd1e362 |
| SHA512 | 951c046b41fcf723001958d90a5c7d1d569da0e99325ba7cf75b7019084699cda8eae04ea42b99ddc354faa568581d310277b012d34b9075b1a624f2bad63952 |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal
| MD5 | 34279d0d4d0959f3eb00754d47348c68 |
| SHA1 | 328cb75845fd59f608467307aa0f84c334441952 |
| SHA256 | a9160e8ccb139bb23c6542215eb998f6f2c7e77691afe02e85608420a77ecb53 |
| SHA512 | d7b5d00d2a8171d7aed4977927ce8ed868579353dd5c6c87b6f55b7d6bdc65ed92e6182106d2b9a61c616f84d52ed5d8e7823f6b4cd325398099e6f80f72e46d |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events
| MD5 | 171aedf968e17a2744d2585715606cb9 |
| SHA1 | bbeddeb3b89fcf809619c35b4a318a80e7d5b029 |
| SHA256 | d2ab452d9360848f46af866b870b5c6fc98230b09c72b89cb1a4b2778586678e |
| SHA512 | 78a0f517ee3d21c153dda6dbfec4187ebaee9d520d7b1b63f358bcb125d08aea53f26943907a56fdeba40161d9fc7e4fd63f9ae3154dd2ad887ba0162738285b |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal
| MD5 | 3a9df43cce4b86632aed432ec207152d |
| SHA1 | 84d91987bb43177b4b1a65baeb23ffb22ad39ae0 |
| SHA256 | 7c27b8c9d253ae290d99bc75d5a00beb238f7d81a1cc3ff7e088781a85cdadb7 |
| SHA512 | 4c8b08b336328f031af3d890144a7bed47e378378e9a92101a26d990035439217f60bfc50927f3c9e29343515e0a726fed0a259804ba5baee6f5991d36e32271 |
/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal
| MD5 | 1c0196aebd35f334d9b040a11b0564bd |
| SHA1 | 91cbb3dfa85ad186626b4c6d42c11fe204cb87cd |
| SHA256 | f7befc9661f43715c36cbdca316ec76e2bb20898637aa341187ac5e21bd1b6e7 |
| SHA512 | 88ae4d2fc9de4fcd663395f92372e408c65958c2124236805d0171ae48d96f7fcde4df09e39d2b4914e7ddfee81dd2f78714fab46c95450d04f0525b10c5d4a0 |
/data/data/com.whatsapp.w4b/files/crash_sentinel
| MD5 | 444f4b5cb3a664a4a47d9c57c60bca0b |
| SHA1 | 635a7b0a32ccb2d4a2dee296cc04447d18836e9e |
| SHA256 | 61ec74dec9062e0390ab3c41b26f573e0498a6b0350a895233147348c1990b76 |
| SHA512 | ea03fe79bb60a4fcd2bcc5e6168024780d7b0c3a523a74199e5438b4451e780174e05c6b97b4faf2b7107518221bf6ca4e8dffc8a566f1c7d074d3a870964e17 |
/data/data/com.whatsapp.w4b/files/PersistedInstallation6601206200003120009tmp
| MD5 | cb32abcc74db6a55a88546a458c353c2 |
| SHA1 | 8ea528369d2620e37eaf7ed14333ca7a41408fc7 |
| SHA256 | a429d6cd245b2605fe57cc82720cfe301b68e1f6d79b4c778a1a1ec8e725ed4b |
| SHA512 | f216e6b24b7e05a366807d9d2f73cded2748008ba8dadba777571de0669afdbdc197267b91a5795e3b74d24d3180827f8f20736a41ef25e880bbcc1ded359cd9 |