Anonymised real-world report generated by the bot on 2026-03-16. Phone identifiers, account IPs, and the VPN client ID have been redacted; threat IPs preserved as published in original. Original locale: Russian — translated below for the public showcase.
Scan ID: scan_20260316_085734_15d2c439
Date: 2026-03-16 09:29 UTC+1
Analysis duration: 30 minutes
Threats detected on your phone.
The phone was communicating with mainstream services (social networks, messengers, video platforms) as expected for normal use. In addition, attempts to connect to suspicious servers were observed — and that is what this report is about.
A consumer phone has no legitimate reason to initiate SSH connections. SSH is a server-administration protocol; finding outbound SSH from a mobile device almost always means a remote-control implant.
- Risk: an attacker may be able to remotely access your phone and exfiltrate personal data
- What to do: from a different device, change passwords for your email and banking apps; consider a factory reset of the phone
Same family of finding as SSH: Telnet is an administration protocol that has no place on a consumer phone. Outbound Telnet from a mobile device is a strong indicator of a remote-control implant or backdoor.
- Risk: an attacker may be able to remotely access your phone and exfiltrate personal data
- What to do: from a different device, change passwords for your email and banking apps; consider a factory reset of the phone
RTSP (Real-Time Streaming Protocol) is the protocol cameras use to stream video. Outbound RTSP from a mobile device often means the camera and/or microphone are being streamed to an external server.
- Risk: an attacker may be capturing video or audio from your phone without your consent
- What to do: from a different device, change passwords for your email and banking apps; consider a factory reset of the phone
- From a different device, change passwords for your email and banking apps.
- Consider a factory reset of the phone to remove any potentially malicious software.
- Install a reputable mobile anti-malware tool (e.g. Malwarebytes Mobile, Dr.Web Light) and run a full scan.
| Metric | Value |
|---|---|
| Total connections | 125 |
| Data volume | 8.3 MB |
| Unique IP destinations | 1 |
| Analysis window | 1,800 s (30 min) |
- Port 443 (HTTPS) — 87 connections (100.0% of TCP)
| Severity | IP | Notes |
|---|---|---|
| HIGH | 85.90.246.234 |
flagged by threat-intel correlation |
| HIGH | 172.104.99.199 |
flagged by threat-intel correlation |
| HIGH | 37.46.119.14 |
OTX reports: 1 |
| HIGH | 51.75.34.93 |
flagged by threat-intel correlation |
| HIGH | 209.38.189.134 |
flagged by threat-intel correlation |
| HIGH | 170.64.245.133 |
flagged by threat-intel correlation |
About this sample. This is the actual report a user received from @secure_scanbot. The bot's AI report-generator decides which severity level to use for the user (Beginner / Intermediate / Expert) — the version above is the Beginner-level rendering that explains what each port means in plain language and gives one concrete action. The Intermediate and Expert versions of the same scan add JA3 fingerprints, beaconing intervals, and Suricata-rule signatures.
Why so many HIGH IPs with one HTTPS port — the device's TLS (port 443) traffic was being relayed through several known-bad IP addresses cross-referenced against OTX, AbuseIPDB, and VirusTotal feeds. Port 22 / 23 / 554 connections were short-lived but flagged by the port-based detection layer.
The HTML version of this same report is at
sample-scan-report.html— the bot delivers HTML for easier reading on mobile.