Jump to content
stungy

Suspicious Domains Appearing Recently?

Recommended Posts

(Sprint S10 Android 9, own full Malwarebytes with all protection options enabled)
Recently I've noticed a few suspicious domains in Blokada, and they first started out while using and after stopping the Sprint Mobile Hotspot but have recently just been spammed regardless of any factor.
They are

c00161-dl. urbanairship . com
remote-data. urbanairship . com
device-api. urbanairship . com

I tried using theNet Monitor app, but once I turned that on the domains basically dissapeared until I stopped the app, then came back. While using the Net Monitor I didn't see anything other than the system being tracked, aside from my internet browser while I was looking things up.

After blocking the remote-data and device-api domains(c00161-dl was already blocked by blokada without me having to do anything) these two domains now appear nearly constantly, moreso than any other domain in Blokada, and it seems those two are prerequisites for c00161-dl, because I haven't seen that since blocking them.

I also went back through the Blokada log and I found that the domains had appeared before, but it was between every few thousand entries and it was only one of the three each time, never two or three at once and never spammed like it is now and never the c00161-dl domain.

I've also stopped using the Sprint mobile hotspot for fear of those domains I guess, leaking out of the hotspot and I wouldn't know about it.

I've run multiple malwarebytes scans and they've all turned out clean, and all I could find is that they seem to be harmless middleware, but I haven't noticed those domains until just now, and the thing that makes me really anxious is that I can't find ANYthing about c00161-dl, anywhere at all.

I apologize if this is rambly or hard to read, I have been stressed out about this almost all the time since it happened. Am I right to be worried, or am I just being overly paranoid? Any help at all would be very apreciated.

Share this post


Link to post
Share on other sites

Hi @stungy,

AirShip is a legitimate analytics company used by many legitimate apps.  Those analytics are used to send "meaningful messages" to customers.  Is Blokada blocking them?

There is no malicious activity going on here.  Thus, we don't detect.  If you are really worried about them, you can try uninstalling recently installed apps as one of them is probably using AirShip.  Otherwise you can just ignore them as they are harmless.

Nathan

Share this post


Link to post
Share on other sites

I just got an email from someone at Facebook with the same URL saying that they've got my information and have all the passcodes information of my different services which they gathered from my browser and using keyloggers. He demanded $1900 in ransom. 

When I checked the mailing address it was something like @Focebookofficial   something. 

So, these kind of spams have increased. 

Share this post


Link to post
Share on other sites

Aleeam, I just received an email very similar to yours also demanding $1900 in ransom. Glad that MWB is protecting us from this sort of malware! Is there any way to detect if there is indeed a keylogger or other malware on my machine just in case?

Share this post


Link to post
Share on other sites

 Hi @mbam_mtbr thank you for replying,

Blokada and the host list I use, Energized Basic and Adguard dns only blocked the c00161-dl domain by default. I then put the other two domains in the blacklist

My first thought was to check to see if a new app was causing these, but when they started no new apps were installed, none even were updated to my knowledge I checked with both the settings app going through all my apps, and then with the Malwarebytes log to see the newest installations and there were no new apps that really correlate.

It seems it appeared out of nowhere, and I looked into Airship and could find nothing about those specific subdomains except device-api, which is the only one that I could find with any documentation or web presence at all.

I guess that it just appeared one day randomly and the fact I can't find anything about those domains at all is what is troubling me. And I haven't recieved any threatening emails at all. Those people may have a different problem.

Any help would be appreciated, thank you.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.