A on-device scanner that checks Android TV boxes, phones, tablets and emulator images for indicators of compromise (IOCs) associated with the major Android proxy botnets and residential-proxy ("proxyware") abuse:
| Family | What it is | Seed IOCs |
|---|---|---|
| BADBOX / T95 "Corejava" | Preinstalled firmware backdoor on cheap AOSP boxes (T95, X12, X88...) | C2 domains, C2 IP, /data/system/Corejava paths, malicious preinstalled packages, device models |
| BADBOX 2.0 | 1M+ device botnet disrupted by HUMAN/Google/Trend Micro/FBI (2025) | C2 domains (catmore88.com, ipmoyu.com), com.hs.app, "secondstage" artifacts, ~55 published infected device models |
| Vo1d | 1.6M+ Android TV botnet (XLab / Dr.Web research) | 16 C2/downloader domains, 10 IPs, fake-GMS packages (com.google.android.gms.stable, com.goog1e.apps), /data/google/* daemons, 15 sample MD5s |
| Popa / NetNut | ~2M-device proxy botnet feeding the NetNut residential proxy platform (FBI seizure, July 2026); Popa is a Vo1d-linked plugin | Control domains (gmslb.net, safernetwork.io, tera-home.com, ninjatech.io), NetNut domains, names of streaming apps observed bundling the proxy component (CRICFy, DooFlix, Flixoid...) |
| PEACHPIT / PROXYLIB / proxyware | Ad-fraud and bandwidth-selling SDKs embedded in apps (LumiApps, Netas, Bright Data, Honeygain, IPRoyal Pawns...) | 21 SDK identifiers matched against package names and declared service classes, plus provider domains |
These families share the same cheap-Android-TV / IoT attack surface. The Android-TV ones (cecbot, katana, kimwolf, maskify, mossadproxy, drifter) can match on device; the Mirai-lineage Linux DDoS bots mostly contribute C2 domains and IPs for network-side detection and router/Pi-hole hunting rather than package hits.
| Family | What it is |
|---|---|
| aisuru | Mirai-derivative DDoS botnet, active since August 2024 |
| cecbot | Android TV botnet with HDMI-CEC abuse, successor to Katana |
| cecilio | CatDDoS derivative with modified RC4 cipher, OpenNIC C2 |
| datasurge | Mirai-lineage bot with no self-propagation; competitor-killing scanner larger than its DDoS engine, plus operator RAT features |
| drifter | Independent DDoS botnet on the ADB attack surface, CCTV-themed C2 domains |
| jackskid | Mirai variant sharing code lineage with Aisuru, DoH C2 via mbedTLS |
| katana | Mirai variant with on-device compiled rootkit, targeting Android TV set-top boxes |
| kbotne | Mirai-lineage DDoS botnet, WebSocket C2 on port 80, hex-encoded config, a broken Android APK |
| kimwolf | Dual-purpose residential proxy and DDoS botnet, 3M+ devices observed |
| maskify | Dual-purpose proxy/DDoS botnet with ENS, IPFS, and a custom P2P mesh |
| mossadproxy | Android TV/IoT DDoS botnet via ADB, operationally linked to the ecosystem |
| potassium | Mirai variant with SHELL/SHOUT reverse-shell protocol, three rotating campaigns from one codebase |
| vibenet | Custom DDoS-and-proxy family; no-libc Linux build ships its own TLS/QUIC/HTTP3 stack for Layer-7 floods behind a browser fingerprint, on-chain ENS C2 |
Note:
keys.csvfrom the Deepfield repo (RC4/ChaCha20/ENS decryption keys, APK cert serials) is deliberately not imported — those are sample-unpacking material, not indicators observable on a running device. Non-Android sample hashes (ELF ARM/MIPS) are included: they won't match an installed APK but are valid for VirusTotal lookups and future on-disk file hashing.
- Device identity - model/product/board strings vs. published infected-firmware
model lists,
test-keysfirmware signing, missing or impostor Google Play services. - Network - live connections vs. IOC IPs (
/proc/net, works up to Android 9; Android 10+ falls back to a localhost proxy-port probe), device-wide HTTP proxy setting (flags known-bad endpoints), proxy-style listening ports (1080/3128/8118/8888/9050), active VPN transports. - Filesystem persistence - known malware paths (Corejava, Vo1d daemons,
secondstage...), uses a root shell for
/datapaths when available,subinaries, writable/system, netcat/tcpdump/busybox shipped in firmware. - Proxyware SDKs - every installed app's package name and service classes vs. proxyware SDK identifiers.
- Installed apps - every APK hashed (SHA-256 + MD5) and matched against IOC hashes; package names and app labels vs. IOC lists; heuristics for headless boot-persistent networked apps and sideloaded apps.
- VirusTotal enrichment (optional) - looks up finding hashes/domains/IPs via VT API v3, paced at 4 requests/minute for the free tier. Add your API key in Settings.
- Report export - pretty-printed JSON report (device info + findings + IOC DB
version) saved under
Android/data/io.iocscanner/files/reports/and offered via the share sheet. On a box with no share targets:adb pull /sdcard/Android/data/io.iocscanner/files/reports/.
The bundled database lives at app/src/main/assets/iocs.json. Every entry carries
type, value, family, note, and source. Types:
domain, ip, sha256, md5, package, app_label, file_path,
device_model, sdk_id.
You can host a curated copy (same schema) anywhere reachable over HTTPS (a GitHub raw URL), and pull it from Settings → IOC database → Download update. This is how you keep the app current as new research drops, without rebuilding.
Good sources to watch for updates:
- HUMAN Security Satori blog (BADBOX, BADBOX 2.0, PEACHPIT, PROXYLIB)
- XLab-Qianxin blog (Vo1d, Kimwolf)
- Krebs on Security (Popa / NetNut coverage, June-July 2026)
- DesktopECHO/T95-H616-Malware on GitHub (T95-class boxes)
- Flo5k5/proxyware-blocklist on GitHub (proxyware/bandwidth-sharing domains)
- Shadowserver sinkhole reports and the FBI IC3 BADBOX 2.0 alert
Requirements: JDK 17, Android SDK (platform 34). No NDK.
- Android Studio: open the project folder, let it sync, Run.
- CLI:
gradle assembleDebug # or .\gradlew assembleDebug once the wrapper jar exists adb install app/build/outputs/apk/debug/app-debug.apk
adb connect <box-ip>:5555 # enable ADB over network in the box's developer options
adb install app-debug.apk
The app appears in the leanback launcher ("Proxy IOC Scanner") and is fully D-pad navigable.
- CRITICAL - direct IOC hit (known package, known hash, live C2 connection, known filesystem artifact). Treat the device as compromised: isolate it from the network. Preinstalled implants survive factory resets. Reflashing clean firmware or discarding the device is the honest remediation for firmware-level families.
- HIGH - strong correlation (proxyware SDK, infected-model list, impostor GMS, exposed proxy port). Investigate before trusting the device.
- MEDIUM/LOW - heuristics (rooted firmware, sideloaded/headless networked apps, global proxy set). Normal on some hobbyist setups; suspicious on a stock consumer box.
- A clean scan is not a clean bill of health: without root,
/datacan't be fully inspected, and on Android 10+ live connections can't be enumerated. The strongest complementary signal is watching the device's DNS at your router or Pi-hole for the IOC domains iniocs.json.
- No traffic capture: a
VpnService-based DNS monitor would let the app match IOC domains live (currently domains are matched only against the global-proxy setting; they're primarily there for router-side hunting and VT checks). - No APK signature-certificate matching yet.
- Vo1d/BADBOX components living as native daemons outside
/data/appare only detectable via the file-path IOCs (root helps a lot). - Emulator images: install the APK into the running emulator; scanning
.imgfiles offline is out of scope for the on-device app.
This is a detection-only tool: it reads public system state on a device you own or are authorized to assess. It performs no exploitation, no traffic interception, and contacts nothing except VirusTotal (with your key) and the IOC update URL you set.
Seed IOCs were compiled 2026-07-04 from:
- HUMAN Satori: BADBOX 2.0 disruption (with Google, Trend Micro, Shadowserver)
- Point Wild: BADBOX 2.0 threat intel
- Rescana: BADBOX 2.0 and Vo1d impacted models
- XLab-Qianxin: Long Live the Vo1d Botnet
- DesktopECHO: T95-H616-Malware
- Krebs on Security: "Popa" botnet linked to publicly-traded Israeli firm and FBI seizes NetNut proxy platform
- Qurium: Finding Popa - ~50 backend/bootstrap domains, SDK library names (libneunative/libalphasdk/io.popanet), bundled-app hashes, TCP/6000 relay protocol
- Nokia Deepfield: public-research popa/iocs - machine-readable director IPs, 370-node relay fleet snapshot, Google Drive payload channel (db v2, added 2026-07-04)
- Flo5k5: proxyware-blocklist
- The Hacker News: PROXYLIB / LumiApps proxyware apps
A device-model match alone is correlation, not proof of infection — many of these model strings are shared across clean and dirty firmware batches.

