[New WTFBin]: Android MobileWips App Makes DNS Query for google[.]com[.]onion

[mbabinski]

• Contributor Name: Micah Babinski
• Application/Executable: Samsung MobileWips
• WTF Behavior Description: Samsung MobileWips (presumably a Wireless Intrusion Prevention System) is a default system app on certain Android OS versions. It has been observed making DNS requests to google.com.onion, which will trigger network/DNS-related alerts, such as the Sigma rule Query Tor Onion Address. This domain does not resolve to an IP address, and is not accessible via Tor. It appears to have been added as some sort of DNS check by an Android developer with poor taste!
• Link to Documentation of Behavior:
  https://isc.sans.edu/forums/Strange+Googleish+domain+name+lookups+after+update+to+Android+10/2666/
  https://www.reddit.com/r/samsunggalaxy/comments/eq0qu5/weird_googleish_domains_from_samsung_galaxy_s10/
  https://pastebin.com/bNteJBFH

[mttaggart]

Added in d508559.

[mbabinski]

Thanks @mttaggart! Would you mind correcting my Twitter handle when you get a chance? There should be an "i" at the end not a "y". I appreciate all you do!

[mttaggart]

Fixed! Sorry about that!

…

On Sun, Nov 6, 2022 at 8:29 AM Micah Babinski ***@***.***> wrote: Thanks @mttaggart <https://github.com/mttaggart>! Would you mind correcting my Twitter handle when you get a chance? There should be an "i" at the end not a "y". I appreciate all you do! — Reply to this email directly, view it on GitHub <#27 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABT7BKCOYNSKT5IRNMOH223WG7FFBANCNFSM6AAAAAAQCKPVKI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Michael Taggart <https://taggart-tech.com> Twitter <https://twitter.com/mttaggart> Twitch <https://twitch.tv/mttaggart>