FBC_bestchoice

Analysis

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

The initial link comes from the firebaseremoteconfig service.

Definitions

This group of applications uses the firebaseremoteconfig service to retrieve traffic links and other data. The response from the service firebaseremoteconfig has a "url" parameter.

The process of traffic analysis looks like this:

Conclusion

The analysis results are YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/zWmsWMXz

Password: QXHRD9L2iT