context safety score
A score of 39/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
phishing
1 deceptive links where visible host does not match destination host
brand impersonation
The domain 'google-play.it.softmany.com' uses Google Play Store branding, name, logo, and version information to impersonate the official Google Play Store (play.google.com). The page presents itself as an official download source for Google Play Store APK while being operated by a third-party (Softmany.com). The structured data even falsely lists 'Google LLC' as the author/publisher of content hosted on a non-Google domain. (location: page.html:63-76, metadata.json domain field, page.html:435-437)
social engineering
The site promotes direct APK downloads of Google Play Store and related apps (APKPure, FRP Bypass, Lucky Patcher, vnROM FRP bypass) outside the official app store, using trust signals like 'sicuro e protetto' (safe and secure), Google branding, and fake aggregate ratings (5.0/5 from only 1 vote) to encourage users to sideload APKs from an untrusted third party. FRP Bypass tools are specifically designed to circumvent Android security mechanisms. (location: page.html:449-464, page.html:505-511, page.html:667-693, page-text.txt:322)
phishing
The site operates on a subdomain engineered to appear as a legitimate Google service ('google-play.it.softmany.com'), mimicking the official Google Play branding and offering APK downloads. Users searching for Google Play Store may land on this page and download potentially modified or malicious APK files instead of the legitimate application. (location: metadata.json:url, page.html:5, page.html:63-66)
credential harvesting
A form with a CSRF token posts to 'https://google-play.it.softmany.com/rate-content' and collects user interaction data. The CSRF token 'k2m8iqjvsy7AC4nfgQZIzRhdTqRhBjQ4kSkaIA2c' is embedded both in a hidden form field and sent via fetch as an 'X-CSRF-TOKEN' header, representing a session-linked form submission to a third-party server. While framed as a rating form, this pattern can be used to correlate user identity and session state. (location: page.html:449-452, page.html:820-828)
malicious redirect
The page includes a redirect (1 redirect detected per Tier 2 signals). The canonical URL points to '/android' path while the landing URL is the root, and several 'similar app' links contain leading spaces in their href values (e.g., ' https://apkpure.it.softmany.com/android '), which is an unusual formatting pattern that could indicate URL manipulation or obfuscation attempts. (location: page.html:640, page.html:649, page.html:658, page.html:667, page.html:676, page.html:685)
social engineering
The 'similar apps' section prominently features FRP Bypass tools ('vnROM BYPASS FRP ACCOUNT GOOGLE', 'FRP Bypass sblocco senza interruzioni del sistema FRP di Google') and 'Lucky Patcher' (an app known for bypassing in-app purchases and license verification). Presenting these alongside legitimate-seeming content normalizes the download of security-bypass tools. (location: page.html:649-693, page-text.txt:383-421)
hidden content
Tier 2 analysis detected a hidden content ratio of 0.01 and 12 suspicious base64 blobs. The base64 blobs found in the page are 1x1 GIF placeholder images used for lazy loading ('data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=='), which is a legitimate lazy-load technique. The hidden content in page-hidden.txt consists entirely of benign HTML comments. These signals are false positives. (location: page.html:519, page.html:530, page-hidden.txt:1-27)
curl https://api.brin.sh/domain/google-play.it.softmany.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
google-play.it.softmany.com currently scores 39/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.