We observed a series of domains luring people to download a flash update or a Clash of Clans game trick for mobile phones running the Android platform.
We downloaded the same malicious apk file from both websites. The file name is flash_update.apk and SHA1 is dc42fcd427054227a6ee2dd92b8356e57f9ead77.
The malicious application requires the following permissions:
android.permission.CHANGE_NETWORK_STATE (change network connectivity)
android.permission.SEND_SMS (send SMS messages)
android.permission.USES_POLICY_FORCE_LOCK (Unknown permission from android
reference)
android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot)
android.permission.INTERNET (full Internet access)
android.permission.VIBRATE (control vibrator)
android.permission.WRITE_SMS (edit SMS or MMS)
android.permission.ACCESS_WIFI_STATE (view Wi-Fi status)
android.permission.WAKE_LOCK (prevent phone from sleeping)
android.permission.GET_TASKS (retrieve running applications)
android.permission.CALL_PHONE (directly call phone numbers)
android.permission.WRITE_SETTINGS (modify global system settings)
android.permission.ACCESS_NETWORK_STATE (view network status)
android.permission.READ_PHONE_STATE (read phone state and identity)
android.permission.CHANGE_WIFI_STATE (change Wi-Fi status)
android.permission.READ_SMS (read SMS or MMS)
android.permission.READ_CONTACTS (read contact data)
android.permission.RECEIVE_SMS (receive SMS)
We’ve found three malicious URL the application tries to beacon to:

hxxps://playsstore[.]net/QUESTIONROADFAR/
hxxps://secure-ingdirect[.]top/QUESTIONROADFAR/
hxxps://playsstore[.]mobi/QUESTIONROADFAR/
The domains all use the same registration information as follow. We have verified the information, and we can confirm that the address and phone number don’t exist.
Registrant Name: joi frey
Registrant Organization:
Registrant Street: 12 mondo
Registrant City: paris
Registrant State/Province: Paris
Registrant Postal Code: 75014
Registrant Country: FR
Registrant
Phone: +33.0101256325
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: benoit.parene@laposte[.]net
The email address benoit.parene@laposte[.]net was used to register several domains related to the same threat:
Domain | Contact Email | Create Date | IP Address | ASN | Country |
cest-sure.com | benoit.parene@laposte.net | 12/17/16 | 146.0.79.171 | 57043 | NL |
clahs-clans-crack.com | benoit.parene@laposte.net | 12/18/16 | 185.70.184.176 | 57043 | NL |
clash-of-clans-crack.net | benoit.parene@laposte.net | 12/16/16 | 146.0.79.179 | 57043 | NL |
clashclanscrack.com | benoit.parene@laposte.net | 12/20/16 | 185.70.187.212 | 57043 | NL |
clashclanscrack.net | benoit.parene@laposte.net | 12/20/16 | 185.70.187.212 | 57043 | NL |
crackclashofclans.com | benoit.parene@laposte.net | 12/20/16 | 185.70.187.212 | 57043 | NL |
crackclashofclans.net | benoit.parene@laposte.net | 12/20/16 | 185.70.187.212 | 57043 | NL |
flash-play.com | benoit.parene@laposte.net | 12/18/16 | 146.0.79.226 | 57043 | NL |
hdi-porn.com | benoit.parene@laposte.net | 12/18/16 | 185.70.184.176 | 57043 | NL |
playsstore.mobi | benoit.parene@laposte.net | 11/24/16 | 5.188.228.253 | 48693 | RU |
playsstore.net | benoit.parene@laposte.net | 11/24/16 | 5.188.228.253 | 48693 | RU |
playystore.com | benoit.parene@laposte.net | 12/15/16 | 146.0.79.161 | 57043 | NL |
From the listed IP addresses, we were able to expand on your investigation and find more domains related to android Marche malware. The IP address 185.70.187[.]212 where a few of the Clash of Clans domains are hosted revealed another domain adkjah34[.]com. This domain has been registered using the following details:
Registrant Name: JOSE NILSON ALVES PAMPLONA
Registrant Organization: JOSE NILSON ALVES PAMPLONA
Registrant Street: RUA DULCE TORRES BROCHADO 2441
Registrant City: UNAI
Registrant State/Province: MG
Registrant Postal Code: 38610000
Registrant Country: BR
Registrant Phone: +55.11943534986
Registrant Email: jose.nilsonalves@yahoo.com[.]br
Several other domains were registered with the same details, and at least 5 domains are known Banload C2s. Banload is a Brazilian banking Trojan. The domains are:
madimbu[.]com
alabeutum[.]com
babcxx22tu[.]com
alabeutres[.]com
baeroodum[.]com
Sample of forged websites – hxxp://flash-play[.]com

Sample of forged websites – hxxp://clashclanscrack[.]com

IOCs:
SHA1(flash_mise_a_jour.apk)= d3ebdb1d4f73ed20d16489ef1a477a843d382edc
SHA1(flash_update.apk)= dc42fcd427054227a6ee2dd92b8356e57f9ead77
SHA1(myfile.apk)= da39a3ee5e6b4b0d3255bfef956018
SHA1(classes.dex)= 8af9b4e9b443a4668da6e715fa8a4e1e58fcff77