MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

Android streaming app with benign engine consensus and typical mobile app behaviour; direct-IP contact is routine for CDN delivery, not malware.

Trust score82Moderate trust
MT AI confidence · 78%
streamflix-v1.7.119-only-tv.apk
18.5 MB
6febd85a9f98dfdc7a5e310c66d6
Antivirus engines
0 of 75 flagged
Code signing
Unsigned
Age
First seen 23 days ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

78%Confidence
High
Reasoning

This Android APK shows no malicious detections from any tier-1 engine (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, etc.). The triggered DirectIpC2 heuristic flags direct-IP contact without DNS, which is a valid C2 indicator for Windows/Linux malware but is routine in Android apps for content delivery and API communication. The file's obfuscation, reflection, and debug-environment detection are standard Android hardening techniques, not malware signatures. Contacted hosts are clean, ambient MITRE techniques are benign, and the streaming-app context (filename, contacted URL to streamwish.to) aligns with legitimate functionality. Medium prevalence (25 submitters) and absence of external intel hits further support a benign classification.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. tier1Malicious=0; 17 tier-1 engines (Avast, Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, etc.) all silent — no consensus on any threat family

  2. triggeredHeuristics: MalwareTips.Synth.DirectIpC2 fired on 15 direct IPs + 0 domains; however, direct-IP contact is routine for Android streaming apps (CDN, API backends) and does not indicate C2 in this context

  3. behaviour: 4 ambient MITRE techniques (T1071, T1426, T1429, T1573); zero offensive techniques; no malicious sandbox verdicts; contacted URL is streamwish.to streaming link, not C2

  4. file tags: obfuscated, reflection, detect-debug-environment, runtime-modules — standard Android app hardening, not malware indicators

  5. prevalence: medium (25 submitters, 27 submissions); no external intel hits (CIRCL, MalwareBazaar, YARAify all negative)

Points in its favour
  • 17 tier-1 antivirus engines (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, etc.) all report clean
  • Zero malicious detections across 68 reporting engines
  • Benign ambient MITRE techniques; zero offensive techniques
  • No malicious sandbox verdicts, no malicious dropped children, no malicious contacted hosts
  • Medium prevalence (25 submitters, 27 submissions) consistent with legitimate streaming app
Points against
  • Direct-IP contact without DNS (15 IPs, 0 domains) — flagged by DirectIpC2 heuristic, but routine for Android CDN/API backends
  • Code obfuscation and reflection — standard Android app hardening, not malware-specific
  • Debug-environment detection — anti-tampering technique, common in legitimate apps
What to do

This file is safe to use. The DirectIpC2 heuristic alert is a false positive common in Android streaming apps. All major antivirus engines report clean, and behaviour analysis shows no malicious activity.

No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.

1 synthesis
MITRE ATT&CK profile
C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • DirectIpC2
    T1071
    medium

    Sample contacted 20 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    104.16.249.249 · 172.67.215.166 · 104.21.86.60
Antivirus engine breakdown

0 detections across 75 engines

0 malicious0 suspicious75 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 75 engines report this file as clean.
Hash 6febd85a9f98… cross-referenced against 75 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
25
Moderate upload volume.
Total submissions
27
Includes repeat uploads by the same source.
First seen by VT
23d ago
May 26, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
5/26/2026, 12:27:47 PM
First seen (MalwareBazaar)
Last analysis (VT)
6/9/2026, 1:31:45 PM
Scanned here
6/18/2026, 4:41:28 PM
File name
streamflix-v1.7.119-only-tv.apk
Size
18.49 MB
MIME type
(unknown)
Detected type
Android
SHA-256
6febd85a9f98dfdc7af7a115f94e645e7712111cb8ecd6d91090945e310c66d6
MD5
ac7a505a205164895c3c772114040a89
SHA-1
d45768a88bb4c6e063a3f8744658dd6e5adc7eeb
First seen (VT)
5/26/2026, 12:27:47 PM
Last analysis (VT)
6/9/2026, 1:31:45 PM
First scan (MalwareTips)
6/18/2026, 4:41:28 PM
Last scan (MalwareTips)
6/18/2026, 4:41:28 PM
Behavior tags
obfuscatedreflectiondetect-debug-environmentapkruntime-modulesandroidcontains-elf
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.