Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Strange Google-ish domain name lookups after update to Android 10 SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange Google-ish domain name lookups after update to Android 10
Our DNS logs caught the following DNS lookups from an Samsung 10 phone after it updated to Android 10, December 2019 patch level:

*google.com (with the asterisk)
www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com
google.com.onion

I can't find any reason for these lookups. The first is invalid, the second is a parked domain registered with GoDaddy, and the third is a TOR domain.

Finally, the device is communicating to an AWS IP address using TCP port 5229 without any corresponding DNS lookup that resolves to the address.

Anyone seen anything similar?
jauntysankey

6 Posts

Sign Up for Free or Log In to start participating in the conversation!