MalwareTips
File verdict·Decided by the MT AI Engine
Our call

Safe

Zero tier-1 engine detections across 75 engines; 3,407 submitters; contacted hosts are legitimate Google/Firebase infrastructure.

Trust score88High trust
MT AI confidence · 82%
copy.apk
17.6 MB
d0f133e073fc34ddda2d9f9b97a7
Antivirus engines
0 of 75 flagged
Code signing
Unsigned
Age
First seen 12mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

82%Confidence
High
Reasoning

The evidence strongly supports a safe classification. All 17 tier-1 engines report the file as undetected, and no tier-1 consensus on any malware family exists. The heuristic rule 'MalwareTips.Synth.DirectIpC2' fired because the app contacted external IPs without using DNS, but inspection reveals those IPs belong to Google, Cloudflare, and Firebase — standard cloud services used by Android apps for telemetry and remote configuration. The file's prevalence (common_old, 353 days, 5,692 submissions) is inconsistent with novel malware. Behaviour analysis shows only ambient MITRE techniques typical of Android apps (network communication, device info queries, GPS checks, clipboard access) with zero offensive techniques. No malicious sandbox verdicts or malicious dropped children were detected. Community comments are conflicting, with one researcher scoring it 'Clean' and another flagging obfuscation — but the absence of tier-1 consensus and the benign contacted hosts override the obfuscation concern.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 0/67 malicious; tier1Malicious=0; tier1ReportedClean=17 (Kaspersky, Microsoft, BitDefender, ESET-NOD32, Fortinet, Avira, Emsisoft, F-Secure, GData, Ikarus, DrWeb, Avast, AVG all silent)

  2. prevalence.classification='common_old' — 3407 unique submitters, 5692 submissions since 2025-06-30; widely distributed, inconsistent with novel malware

  3. contactedIps: 15 IPs inspected, all resolve to Google (142.251.*, 172.253.*), Cloudflare (172.67.*), Firebase infrastructure — no known-malicious hosts in our URL cache

  4. behaviour: 0 offensive MITRE techniques; 9 ambient techniques (T1071, T1406, T1409, T1421, T1422, T1424, T1426, T1430, T1573) typical of Android apps; no malicious sandbox verdicts; no malicious dropped children

  5. triggeredHeuristics 'MalwareTips.Synth.DirectIpC2' fired on pattern (direct IPs, no domains) but contacted hosts are legitimate cloud services, not C2 infrastructure

Points in its favour
  • Zero tier-1 engine detections across 17 high-trust antivirus engines
  • Contacted hosts are all legitimate Google, Cloudflare, and Firebase infrastructure
  • File is widely distributed (3,407 submitters, 5,692 submissions) with no consensus malicious verdict
  • No malicious sandbox verdicts, no malicious dropped children, no offensive MITRE techniques
  • Community researcher scored the file 'Clean' (20/100)
Points against
  • File is obfuscated (ProGuard or similar), which is common in both legitimate and malicious Android apps
  • Heuristic rule flagged direct-IP contact pattern, though the IPs resolve to legitimate cloud services
  • One community researcher flagged sensitive permissions and obfuscation techniques
What to do

This file is safe to use based on tier-1 engine consensus and benign contacted infrastructure. If you have concerns about the app's permissions or behaviour, review the Android manifest and consider whether the requested permissions align with the app's intended function.

Dropped payload

Files this sample writes at runtime

This file drops 1 child at runtime. None are currently flagged malicious in our cache.

1 unseen
  • 6c8288c4332da47f57c51e5938Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

One or more medium-severity heuristic rules matched. Not definitive, but the patterns match known malware behaviour.

1 synthesis
MITRE ATT&CK profile
C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • DirectIpC2
    T1071
    medium

    Sample contacted 20 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    104.21.88.154 · 172.67.216.55 · 172.253.115.94
Antivirus engine breakdown

0 detections across 75 engines

0 malicious0 suspicious75 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust20 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 75 engines report this file as clean.
Hash d0f133e073fc… cross-referenced against 75 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
3,407
Hundreds of people have uploaded this — common.
Total submissions
5,692
Includes repeat uploads by the same source.
First seen by VT
12mo ago
Jun 30, 2025
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
6/30/2025, 5:54:11 AM
First seen (MalwareBazaar)
Last analysis (VT)
6/13/2026, 2:44:05 PM
Scanned here
6/18/2026, 4:58:36 PM
File name
copy.apk
Size
17.61 MB
MIME type
(unknown)
Detected type
Android
SHA-256
d0f133e073fc34dddad298e7dd6a695d935e0dbd2a627d74a402792d9f9b97a7
MD5
f2455f0a47fe709aeb49e531d6052eb8
SHA-1
afa78dfc56daa35a51a3041187a1cf22655ccf7b
First seen (VT)
6/30/2025, 5:54:11 AM
Last analysis (VT)
6/13/2026, 2:44:05 PM
First scan (MalwareTips)
6/18/2026, 4:58:36 PM
Last scan (MalwareTips)
6/18/2026, 4:58:36 PM
Behavior tags
apkruntime-modulescontains-elfobfuscatedtelephonyandroidreflectionclipboardchecks-gps
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scan another
Check a different file
URL instead?
Check if a link is safe
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.