I get several okhttp hits. Not only version 3.8.1 but also 3.9.0, 3.11.0 and 2.5.0. It is a generic HTTP client library working on Java and Android. On my sites they never go deeper than the root directory and the favicon.ico file, but that probably depends on how the client library is implemented in the specific application.

:: detour to check logs and headers ::

Yup, see it occasionally. Wide array of version numbers:

okhttp/2.4.0
okhttp/2.7.4
okhttp/3.5.0-SNAPSHOT
okhttp/3.6.0
okhttp/3.10.0
okhttp/3.11.0
okhttp/3.12.0
okhttp/3.12.1
okhttp/3.14.0

Equally wide array of IPs. Most but not all requests are for individual images; among pages, root is most common. Page requests blocked, images not, which suggests a header discrepancy. (I don't log headers on images--except of course blocked ones, which cause the server to generate the 403 page--so I can’t be sure.)

Hm. It may be time to reassess header toggles on image requests. What a pain. In the meantime, I guess I can flag them as bad_agent. That being the case, it’s thoughtful of them to put “okhttp” right at the front of the UA.

Wonder what they do with the images?

Edit: I didn’t check all of them, but I tend to think the IPs are human, though not connected with normal human visits. So that leaves “infected by botnet” as an option.