I was checking my Pi-Hole and noticed a lone spike of 700+ requests coming from my phone (Android 16) this morning. Upon checking the logs, it's all bogus domains corresponding to package names of apps I have previously installed via the Play Store, but never on this phone.
Going further back in the query log, I realized it also includes the package name of an app I developed years ago but never published on the store, nor on this phone. There's also a whole bunch of my browsing history apparently, domains I haven't visited in years - from the age of some of them I'm pretty sure it's Chrome history, as I only used Firefox sync for a brief period and my local history is <1y.
What the actual fuck? This is a Nothing Phone 3a, updated to Android 16 just a couple of days ago.
Could it possibly be some background check for valid domain names for proton pass? I imagine there could be a benefit to checking that the URLs associated with saved entries are actually live.
If the goal was exfiltrating a list of the sites you use, they don't really need to do it via some weird DNS stuff, since you're already expecting traffic directed at the proton api. They could just transfer an encrypted text file and call it a day. Doing this makes a ton of noise that you'd want to avoid if you were doing something shady, so it must serve some kind of function.
But why would they do that from an end user's device instead of their servers? And what about the unresolvable package names?
I'm leaning more towards a bug than exfiltration at this point, but it is still a somewhat serious leak. The contents of proton pass are end to end encrypted and thus supposed to be confidential, while this has caused my whole vault to be leaked to public DNS servers via unencrypted UDP. If it was intentional, it's terrible design. Maybe some intern thought to have the client grab favicons.
That's precisely why they can't do the scan from their servers. They don't know the domains - they're decrypted only on your device.
I feel like this is a tad dramatic. Surely, your vault contains more data, probably more sensitive, than just domain names.
I mean no offense, but I think you might be being a tad paranoid on this one. There really isn't much that can be done with a list of sites you've saved credentials for once. If it was your most visited sites, I guess you would maybe be slightly more vulnerable to spear phishing. But just a bulk blast of sites over DNS doesn't really tell anyone anything, it just looks like normal-ish DNS traffic.