Uncovering Lesser Known Mobile Adtech Domains

AppGoblin has now run over 40k apps in an emulator, tracking millions of API calls thousands of advertising domains. Unfortunately, some of them are dark, meaning they have no landing page of any kind, and I’m unclear who controls these domains.

news-cdn.site	marketingcloudapis.com
kickoffo.site	onegg.site
lazybumblebee.com	qa-analytics.com
acobt.tech	yastatic.net

Let’s see if we can figure them out!

qa-analytics.com

This one is a mystery. Seems like it’s related to Germany since it’s always resolving to HETZNER and german IPs. Checking the shared IPs, it looks like they do overlap with unity3d.com domains sometimes.

Again, this whole list is games.

• Woodoku – Wood Block Puzzle
• Draw Climber
• Spider Rope Hero: Action Game
• Running Pet: Dec Rooms
• Bubble Shooter 2
• Pirate Treasures: Jewel & Gems
• Tik Tap Challenge
• Collect Em All! Clear the Dots
• Gun Simulator & Lightsaber

data deep dive

Looking at the requests I can match various keys to values from untiy3d.com API calls! Specifically they share the same `app_key` values.

acobt.tech

Well that name definitely comes off as esoteric at first. First let’s check the IP cluser and see what we find, of the 233 apps sending/receiving from acobt.tech we have 4 other sites with 1:1 matches that are all sites that do not have any landing pages.

acobt.tech 233
news-cdn.site 233
inmense.site 232
kickoffo.site 232

searching…

Searching the internet shows various hits saying some of these belong to Bigo Ads. Let’s check the apps’ SDKs and see

Apps

Again we got lots of games, and looking it looks like AppGoblin has indeed already found that each of these has a Bigo Ad SDK.

• Pizza Ready!
• Sculpt People
• Vita Mahjong
• Modern Bus Simulator: Bus Game
• Gym Heros: Fighting Game
• Blockman Go

onegg.site

Wait, this one also matches the IPs for the other various Bigo Ads. Seems like Bigo really uses a lot of random domains?

lazybumblebee.com

OK, great name. This one appears in clusters of SDK advertising, making me think it’s related to a mediation SDK of some kind (rather than to one specific ad network). Possibly this is bidmachine.io’s as it is the most common, but really all the top ad newtorks appear nearly 1:1 along side it across the 276 apps I’ve found it in:
bidmachine.io 275
unity3d.com 270
doubleclick.net 269
mtgglobals.com 267
rayjump.com 267
applovin.com 261
vungle.com 257

Example Apps

Definitely game focused list here. They almost all call variations of d.lazybumblebee.com/track/sdk-event

• Helix Jump
• Going Balls
• Paper.io 2
• aquapark.io
• Snake.io – Fun Snake .io Games
• Hole.io
• 1945 Air Force: Airplane Games

Shared IPs

Looking around there are lots of examples of shared IP addresses with everestop.io and bidmachine, so I think that might have solved that.

everestop.io 172.240.40.172
bidmachine.io 172.240.40.172
bidmachine.io 204.74.252.252
everestop.io 172.240.61.171
voisetech.com 34.216.198.39

SDK?

Looks like a lot of the apps have the io.bidmachine and com.explorestack SDKs, so I’m thinking that `lazybumblebee.com` does indeed belong to BidMachine and helps it with some app mediation service.

marketingcloudapis.com

marketingcloudapis.com is just the kind of generic descriptive name I’d come up with.

Example Apps

Example apps, there are a lot of very corporate apps in here along with lots of shopping.

• adidas: Shop Shoes & Clothing
• Claro música
• Domino’s Pizza USA
• SiriusXM: Music, Sports & News
• GasBuddy: Find & Pay for Gas

Example API Call

Each app sends off two API calls on start to a unique (per app) subdomain on marketingcloudapis.com with the response from the first API call below. The information sent seems somewhat bland compared to the usual deep scraping that advertising SDKs do. So this is likely paired with other API calls already going out.

x-mashery-message-id: 4e9eb0f4-6eaa-4f27-bb66-a3694cffe471
x-mashery-responder: 56bf7c64cc-lnkfz
strict-transport-security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: upgrade-insecure-requests
x-xss-protection: 1; mode=block
x-frame-options: DENY
x-content-type-options: nosniff
cache-control: no-cache, must-revalidate, max-age=0, no-store, private
Referrer-Policy: strict-origin-when-cross-origin
Vary: Origin, X-HTTP-Method-Override
Content-Length: 339
Content-Type: application/json; charset=UTF-8
Date: Wed, 27 Aug 2025 22:12:39 GMT
Connection: keep-alive
Keep-Alive: timeout=5

{
    "nodes": [
        {
            "version": 1,
            "name": "blocked",
            "items": {
                "blocked": 0
            }
        },
        {
            "version": 1,
            "name": "pushFeaturesInUse",
            "items": {
                "inbox": false
            }
        },
        {
            "version": 1,
            "name": "appConfig",
            "items": {
                "inApp": {
                    "gateEventProcessingMs": 1000
                },
                "event": {
                    "activeEvents": []
                },
                "endpoints": [],
                "deliveryReceipt": {
                    "deliveryReceiptStatus": 0,
                    "gateDeliveryReceiptProcessingMs": 5000
                }
            }
        }
    ]
}

Related Domains

Checking on domains that are called together, it looks like this is almost always called with googleapis.com so possibly this is related to Google, but this is a bit weak as a lot of Android apps have integrations with Google.

End Results!

Much better than I expected. A bit of digging and all the URLs were figured out with the exception of marketingcloudapis.com which I was a bit unsure of, but looks like google.com

news-cdn.site -> Bigo Ads	marketingcloudapis.com
kickoffo.site -> Bigo Ads	onegg.site -> Google
lazybumblebee.com -> BidMachine	qa-analytics.com -> Unity
acobt.tech -> Bigo Ads	yastatic.net -> Yandex