### Mobile Cyberespionage Campaign‘Bouncing Golf’Affects Middle East ## Appendix ----- # Indicators of Compromise (IoCs) |SHA-256|Package Name|Label|Version|App Internal Name| |---|---|---|---|---| |00e82927b20d2db5bdfc6bff77f68 41d0e59af80adce3f86f902776691 59e5f3|com.iran.sunni.time|قح میسن|1.1|Azaan N-2| |01cebc3a542b08c7f818540d826c 7717b7354552c20ff897e9cdbdde aabe962f|com.whatsapp.w4b|WhatsApp Business|2.18.122|00024-USER17- WAB-01| |0593167d6e7f63c8401c4393f999 de2b889078ddaa3713a0d0277b9 53b7b41c9|com.andromo.dev791306. app895682|ينطوم|1|00064-USER12- MAWTANI_AHAM MED| |0801d88fa8a3cf0569e2b388ec74 ed3ff71e1edaf173e99c78edf86cf3 aba6f6|com.andromo.dev785707. app891043|سرب برام|1|00055-USER12- MAREBPRESS- 12000| |09649ca5ea3efb312b6fde47fb3e0 e260f762caec2c81f663fb5489eb6 30ae15|com.geektoro.assrarnaja7 l7ayat|ةایحلا ىف حاجنلا|1|00038-USER17- NAJAHINHIAH-00| |0ad4930bbbf510a4b71379a5415a 22dc15f2210c872494e128b875fa 114d5918|com.dianxinos.optimizer.d uplay|DU Speed Booster|2.4.6|00058-USER17- DU.Speed.Booster -17000| |1024c9bc5bb77c274aa28502f280 470a25d27d99657a4cc9b15e194 a677fb5cc|com.andromo.dev791306. app895677|ينطوم|1|00065-USER12- MAWTANI_KAMA L| |10e7ef263a62b3bde0047bc5870f 1791781d32f399dc0e15f1fac8076 d52d9f7|com.andromo.dev789740. app892709|نایبلا ةفیحص|1|00060-USER12- AL- BIANEMARAT.1.0 -12000| |146fd6f27df73bcdf9a245ed42904 7c8d279fd635cf8db63f3039a9b47 fd5363|com.devhd.feedly|feedly|38.0.0|00026-USER12- feedly_38| |18b9f74dba23030272ae87a46128 13317fe3c8ab8bef8ca643c7fd8b0 c2ce7dd|com.andromo.dev785707. app890246|ظاكع|1|00054-USER12- AKAZMAIN.1.0- 12000| |1abd66b4b608735e76053710384 9b64aaa56a118b80bdc02c2d23ef 20087ee57|com.andromo.dev789740. app892698|داحتلاا ةفیحص|1|00061-USER13- ETHADEMARAT- 13000| |208d3af2924585fae89228705bb5 e1a0695ab3ad9ccedc4fa5f5234c3 8b36bba|org.telegram.plus|Plus|4.9.1.5|00031-USER17- Plus_Tele.4.9.1.2| |22df35ef54e8381ab7be67dfd4f78 1c8b9eef3a80499e5261d0b9f2d4 e7b8e91|com.zico.shalt_2|ةلظنح وبا تلیاش 2018 ينادوسلا|1.4|00063-USER12- SHILAT_ABO_HA NTHALAH| |24c3c9c8d4174da861ca852af2de 65d72c8f63e5d8f70c88e10c1702 56743da1|zozo.android.riddle|ةملكو زغل|4.1|00043-USER12- PUZZLEANDWOR D-12000| |2a1d539d08826b36f3e1dcad174c 9693401ab94dd22cf315fb2af9b37 d3e9d0f|com.maher4web.hisn|ملسملا نصح|4|000154-USER12- Hisn Al Muslim Azkar_v4.0| ----- |2d76d929c6e9a2e45caaca7706ff 3a0cfebcac4a8c711d44d586eb4b c121eeed|com.andromo.dev800523. app906043|شیجلا تایموی|1|00071-USER13- SITENEWS| |---|---|---|---|---| |30287e48b23b6098d7cebafb3b14 c6a2167de214c46553ca1a995a8 3fe934ef5|com.ag4apps.drawfuture|كسفنب كلبقتسم مسرا|1|00059-USER17- MOSTAQBEL_RA SEM-17000| |306db737da630c68957a3f9c200f 7cc3f5d16d2aa2e1719cc5445dd1 26a27249|org.thoughtcrime.secures ms|Signal|4.6.1|00036-USER13- Signal| |319c499932badf0b51fa4401d6cd c97b3a677299ebb2c80e53078ae 1b5ca236f|com.dianxinos.optimizer.d uplay|DU Speed Booster|2.4.6|193-DSB-51201| |34d750ec2c208982d37d8fb3fea3 0d41fa0c681464f5f477fc20ed3c7 5499bd4|com.okaz.okaz_yemen|Okaz-Yemen|1|00161-USER12- okaz| |36be3e5f866a2b80ebe8e2f16b2d 52a6109b27e703302ea763f923a1 60bbecd6|org.telegram.messenger|Telegram|3.2.5|00019-USER13- TELEGRAM2.3.5- 130000| |371f80e2cdb0a37280b03b006fd7 756b3e07b2e264f7f5b56a277b99 ccae406a|com.andromo.dev798323. app903534|نمیلا رابخا رخا|1|00068-USER12- APPSAHEL-01| |3787bfd64c6092407a9e46d6a444 ea1ea7380ac87a5576f8222a6db8 c502ad03|com.andromo.dev783746. app883584|يتحفص|1|00049-USER12- Mareb-1.0-12000| |3984c25dba94309a89f911ecd65d f2e182e6430f3b0aec1efa11b6a9e 58932b4|ding.com.android.messag es|DingDing|3.4.0|364-ding-71225| |3dd8ddce3d5d8ba028227b2aba2 edd7646be8d8cae4db8e7a40015 c31c8c39b5|com.andromo.dev798323. app923901|نطولا رابخا|1|00078-USER12- WAFA-SA-0.2.1| |403f8e773d57c5b9247c089a11a9 6edd9260bc3a616a5a3cf70f17fe8 fd37fe4|org.telegram.messenger|Telegram|3.2.5|00037-USER12- TELEGRAM2.3.5- 12000| |428c851322095fb1c737966a843c 325575779b0d2c1ef3581fbf517ea 8a2a5ea|org.telegram.plus|Plus|3.18.0.3|00034-USER13- plus-messenger-3- 18-0-3| |4590333a279c91e95a2f05426cde 11321727d6d474644775413efb99 c494516a|com.andromo.dev798323. app934321|ينطوم|1|00081-USER12- WMOTANI.1.0.3| |4b3a60464fa67162faf533d458acf 4095c204a67f44ecb4e2ad70b989 aca7861|com.andromo.dev786391. app887683|ةقادصلا|1|00053-USER13- FRINDSHIP.1.0- 13000| |4c230a591f1ed15f447105ae5b35 1f3cb93e355cb2ccf158e52f0e1f1d db7121|com.andromo.dev798838. app904084|نمیلا رابخا رخا|1|00069-USER12- APPMAREBL-01| |4cf86f63aef17ae5ce6e8f7f705e77 3a08cb89bd81a7137597bd25573 6ac01f6|org.telegram.plus|Plus|4.9.1.5|00053-USER12- TELEGRAM- PLUSE_4.9-12000| ----- |4da793d6391c122e3c7b1a3581a 7aff2c322f02d3297840a4c72beda fc3ec2e1|org.telegram.messenger|Telegram|3.2.5|00014-USER17- TELEGRAM2.3- 17000| |---|---|---|---|---| |55123ed4982fa135dbeda49969ab 68444125143e36930fe1612d367f 2fa615fc|kik.android|Kik|8.7.0.164 3|00016-USER12- KIK8.7-12000| |5671ec93761abf62036560b418b0 69a8a8065cfff1725389a2a216235 55576ef|com.ag4apps.drawfuture|كسفنب كلبقتسم مسرا|1|00041-USER12- MOSTAQBEL_RA SEM-12000| |59215d0ee868df7561b4bbeccb15 2a378119d452d1435cb1531f635b 98b5cede|com.duolingo|Duolingo|3.104.2|00074-USER12- Duolingo_3.104.2| |5be6ccd78074458159e286bb2cb 9024728581ebdb071f3d1d4fc88a c48d21e15|org.telegram.messenger|Telegram|4.8.10|00033-USER13- Telegram.4.8.10| |609142d17ff473adab484915f1ee7 99f69685da77421a51421369c42f bac077e|com.jrzheng.supervpnfree|SuperVPN|2.1.0|000151-USER12- SuperVPN Free _v2.1.0_| |6095c5cef13067ebb8d8a521bc63 3a626839ba8b25af70113ad42cc6 38a9744a|com.skyray.fekky_hekam|يف كعفنت ةمكح 100 كتایح|1|00017-USER17- HEKAM1.0-17000| |61c4ee1b0ad5a0457a04c78eb05 16986e8b5846f4dc4109520bfc49 50cd3b0ac|ir.ahadis.bokhari|حیحص رصتخم 2 یراخب|2|Sahih| |62d74126525e5323c07d5f103dc2 cdd1f36b53b36f371032360570f3c 6cebb1e|kik.android|Kik|8.7.0.164 3|00018-USER13- KIK8.7-13000| |6774af8daf50c8fbe205285ed69b3 f9169ec6150774ef5f6469706cbc1 13b49f|com.aymsou.wasaya.raso l|ایاصو عورلأ عیمجت لوسرلا|1|00042-USER12- WASAYA- RASWOL-12000| |6791d66557ae34ab78d7376cabb 4ac2166d20f02ea93202ebe1720b 262248799|com.andromo.dev818085. app925502|ةیرابخلاإ أبن|1|00079-USER17- NABA-V1| |73a5509351bb789af6a997c955d7 0f06455c77485c0a9349ac62b24e bae9b6e9|com.pdfreder.pdfreder|ةقادصلا|1|00168-USER13- Frinds| |75a231d6026a4d0155710c76055 b065dfa083d127ad001a8abd1fdf7 e39cc8f6|com.andromo.dev798323. app950103|كسفنب كلبقتسم مسرا|1|00163-USER12- Al-Shaif-FUTURE| |76332cd87db67c15f536a911a4a5 8d5bf4e1130655dcfa00f2a6273ad 315626d|com.dianxinos.dxbs|DU Battery Saver|3.7.1|188-DBS-51201| |7c7551acf443070ad728f8e197b4 6bda020085325c248c26fb6696b4 34a9cafb|com.andromo.dev801338. app906994|نمیلا رابخا رخا|1|00072-USER12- ALHODIDA_NEW S| |821379d30653b6b6e9dd9010bd3 d0282503284a7dac77af896d63bd a6ce785e7|org.telegram.messenger|Telegram|3.2.5|00015-USER12- TELEGRAM2.3- 12000| ----- |8388d12d8dd3375c6fa2341d9de5 f7d15a0fc37306496cdfa9cfe266d a66318f|com.ag4apps.drawfuture|كسفنب كلبقتسم مسرا|1|0001-USER14- mostgbalrasme.1. 0-14000| |---|---|---|---|---| |860ac70a8374c1851fe1d968686d b7638bf3d337805ff3c64293c41fe cdb0522|com.andromo.dev798323. app950110|نطولا|1|00164-USER12- Al-Shaif-Waten| |88256d9f3e047a04560834ed7a9c c19a4216122f8210272342ce1b44 49364e4a|com.andromo.dev819383. app941989|ةبحملاو هقادصلا ءاخلااو|1|00160-USER13- app_941989_8193 83| |8835a5a686382786f4067d0eefaff 585eef9714bee13cd853f9504b99 85017ca|org.telegram.plus|Plus|4.9.1.2|00031-USER17- Plus_4.9.1.2| |953c2ce6cc1f013cb9de527a28f80 68f4a5c6dabab07701b139dfa661 904a8db|com.dianxinos.dxbs|DU Battery Saver|3.7.1|192-DBS-51201| |969ccee7cff3cc789767108d0e72a 5a082d7a3ea562ef0a262c47cebd ac171ae|com.andromo.dev783746. app883596|يتحفص|1|00048-USER12- Okaz-1.0-12000| |9ba57ad172212923e65b77bbc87 14f9584b061342985ae9289f2df91 01399159|com.mzdhr.quicktodo|Quick ToDos|2.1|000149-USER12- Quick ToDos_v2| |9d70b9d3cc1b6ee692cce6bd96a7 8a953a15344e9ba8c788ff114e3c 169958cd|com.akhbar.yemen.news|نمیلا رابخأ|1.0.1|00039-USER12- YEMENNEWS- 12000| |a064c89eda2de4404fd33989eb7d c46534b8dc551ebaca5de405377 15b3a95a7|com.apps.medamine.hobf izaman|HobFiZaman|1|00075-USER17- HobFiZaman_1.0| |a080bb6b44cb4b776c001c5381e 600cde4f4c2aaa3bf75087a204f90 1e803bd9|com.application.service.g oogleservice|Google Service|4.1.455.4 896|240-GooPho- 61112| |a54e93c8c9efeadb63f888746c4b bef53bdba2ed1339ed7468c62415 55240895|com.mobeg.content.zoelh ega|ةجحلا ىذ رشع|1.0.1|00022-USER12- BOOK-ASHER- ALHAJEH01| |aa66752539f420bbf49701fd29126 05fcbf6693cf55b12972b8f7fe2ed1 809af|kik.android|Kik|8.7.0.164 3|00013-USER17- KIK8.7-17000| |ab757f7fd4b8b082ce406f14559c7 95097b31989bb9a0e3968ee99e5 3d972666|ae.albayan|نایبلا|2.3.23|00040-USER12- UAE-Bian_2.3.23- 12000| |acfa1ac90a2145987d27c30aa7d3 1a2077513ce507350919d6e5218 06fde1d44|org.telegram.plus|Plus|3.18.0.3|00032-USER17- plus-messenger-3- 18-0-3| |b5a12b5ab55528582faac103591c a72fe79c24dbf2453e8196715aa9 4f909a3a|com.wahid.muqbel|لبقم ةملعالا ىواتف يعداولا|1|56-USER12- fatawa_moqbelwa dai02| |b5dab5c1a72909b5fb14e8855d1b f4e6981aac98e226f63cc676f1de3 a32959a|com.pdfreder.pdfreder|بیبحلا ينطوم|1|00165- USER12Mawtani Sherouq| ----- |c55427800e3f6b96453eeaabbac8 e58d2bdfea9e4324d969f0c99a43 6adc7eaf|com.andromo.dev798323. app922825|رابخلاا رخا|1|00077-USER12- BUSHRA_SA-0.1| |---|---|---|---|---| |c59b2edc4c07ab7f93861dde7575 e27a6607f9ebf287c4b1f8bee9342 4e78b7b|com.juphoon.justalk|JusTalk|7.2.42|00052-USER20- JusTalk_7.2.42- 20000| |c62422b607084024b3544481a46 5a3c3a7444ef6ab37b4ed7868167 aede0c072|com.andromo.dev780997. app879040|Make_your_ow n_future|1|00046-USER12- DRAW-YOUR- FUTURE-1.0- 12000| |c6be8f1890d1ba512bdbf257770d 64e38c08b378f0c92acc6b1d3bfbc 6e45de3|org.telegram.messenger|Telegram|5.1.0|00070-USER13- TELEGRAM-5.1.0| |c6f35bf8a95717b3dadc1dcace90d 81adfee278c59d643fa92ef67c506 147210|com.okaz.okaz_yemen|ةیرابخلاأ نطولا|1|00175-USER12- Oatan.1.0.1| |cdd32b243bc5e6f172cd4c8340ca 9de2d320942afaf9a582a41b4d4b c60d89ed|com.najeeb.watnanh|ةینطو ةیدوعس تلیاش|8|00062-USER12- SHILAT_WATAN| |cf4422494ba059b07407f14d438d 148ac3bdbcc06047731d82d878a b3a6f9930|com.wahid.muqbel|لبقم ةملعالا ىواتف يعداولا|1|00020-USER12- FatawaMoqbel- 12000| |d0515f2ff687e5ca32bc1c0f2fb848 78caea7f56378cec94f79b70fb366 a8b30|org.thoughtcrime.secures ms|Signal|4.6.1|00028-USER12- Signal| |d605e7061266468a71a8f3abaa0c 3bf1a323a5caef45755835cffe835 002a047|com.std.hosting.remindm e|ينركذ|2.0.5|000150-USER12- Remind Me_v2| |d6945f30a2a27959c47f79df0436e 685075ac34d6337f21ba07f7eae3 17cb29b|com.okaz.okaz_yemen|ينطولا شیجلا|1|00167-USER13- jesh_wateni| |dbeea2747e0818bea0b7cbe0392 3b41a7bbb3a92cb70b4e069f3b32 3ac418a75|ibadat.chahr.ramadan.ne w|ناضمر رهش تادابع|1.2|00174-USER17- abadtRamazn| |dd688ab9c7f7048cbfc7fe3f4816b 84298d6c1b51b58167074b1a63a a8290a67|com.pdfreder.pdfreder|كسفنب كلبقتسم مسرا|1|00166-USER12- Afaf Al - Aqili| |e3648fa09b8136222f254588ebe4 df0857e2689721d6b88b70c0554e 6634230a|com.okaz.okaz_yemen|ةیرابخلاأ أبن|1|00169-USER17- NabaNewa.0.1| |e6686671c0b97e9c1ec69fefeef22 e8519bd4df7a5129ca46bac2eda7 f06bb09|com.aymsou.wasaya.raso l|ایاصو عورلأ عیمجت لوسرلا|1|0004-USER14- WasayaRaswol.1. 0-14000| |e9fbb42061c63bb3f93c00297c08 1924d725df6283b4eaf650011c76 0ed961dd|com.andromo.dev780997. app879040|Make_your_ow n_future|1|00057-USER17- DRAW-YOUR- FUTURE-1.0| |ea2b03abc503f3c87e625ce07871 c899e55f68930e60070dcea00368 dfd2aedf|com.mohamed.manageti me|میهاربا.د تقولا ةرادا ىقفلا|2.1|000155-USER12- Management_time _abrahim_alfqih| ----- |ec9930cd52c6a6e1fe07ecb1cc7e 90757ae31071358cf9f5ff28cdf11f bee3ed|com.andromo.dev819383. app926986|يبرغلا لحاسلا|1|00080-USER13- SAHELNEWS.1.0. 2| |---|---|---|---|---| |eda3f3b2ee8e186be56b613f6fe0f 2a58467081fca10651a01743741a c91fddb|com.imo.android.imoim|imo|9.8.00000 0003051|00035-USER12- IMO-9.8-12000| |ee3bd9e9a18b4d044c43e1e4e45 2593b39e6dde55f6691b4ff46dfbb 2db96224|com.andromo.dev805111. app911811|داحتلاا ةفیحص|1|00073-USER13- ATHAD_NEWS| |ee812debadc056b8cadc6dd637ce ed3c296e2fc60db007e643d27a1f 0a888fae|com.dianxinos.optimizer.d uplay|DU Speed Booster|2.4.6|00044-USER12- DU.Speed.Booster| |f41aa669f77a3aeebcb6cfa06bcc6 a75523dfbed4288be3674f5d1ae1 14377d7|com.andromo.dev793597. app897553|ينطوم|1|00065-USER12- MAWTANI_RABA B-1200| |f5eee8a332c7088afd51dbaa792d aa49a19fe423ea0b543622378e47 d99b8b32|com.abdulapp.sana|2019 ةدیدجلا ةنسلا|1.4|00066-USER12- message_happyn ewyear| |f7424fd05e3ea2823c7498f793020 32deecaa51334eac0444216566c 81913a12|com.geektoro.assrarnaja7 l7ayat|ةایحلا ىف حاجنلا|1|00038-USER17- NAJAHINHIAH- 17000| |fdd0df40778b203af4f744e9a41e2 67ead67be13de9c33539aa351e1 def0762c|com.okaz.okaz_yemen|Okaz-Yemen|1|00162-USER12- okaz-02| |fea34718aa1f0c292bf1669717e12 81122b94317e3f673cf0a814bf5dd cae52e|org.telegram.messenger|Telegram|5.3.1|00076-USER17- TELEGRAM-5-3-1| # C&C IP Addresses and Domains Related to Bouncing Golf - 185[.]183[.]99[.]116 - 190[.]2[.]130[.]53 - 194[.]187[.]249[.]134 - 212[.]8[.]248[.]179 - 54[.]38[.]51[.]159 - 82[.]211[.]31[.]181 - 84[.]234[.]96[.]167 - androidsmedia[.]com - androidssystem[.]com - mediadownload[.]space - mediamobilereg[.]com - secandroid[.]com - sharpion[.]org - shileyfetwell[.]com ----- **TREND MICRO[TM] RESEARCH** Trend Micro, a global leader in cybersecurity, helps to make the world safe for exchanging digital information. Trend Micro Research is powered by experts who are passionate about discovering new threats, sharing key insights, and supporting efforts to stop cybercriminals. Our global team helps identify millions of threats daily, leads the industry in vulnerability disclosures, and publishes innovative research on new threats techniques. We continually work to anticipate new threats and deliver thought-provoking research. **www.trendmicro.com** -----