Android Marcher posing as Flash update and Clash of Clans game trick

We observed a series of domains luring people to download a flash update or a Clash of Clans game trick for mobile phones running the Android platform.

We downloaded the same malicious apk file from both websites. The file name is flash_update.apk and SHA1 is dc42fcd427054227a6ee2dd92b8356e57f9ead77.

The malicious application requires the following permissions:

android.permission.CHANGE_NETWORK_STATE (change network connectivity)
android.permission.SEND_SMS (send SMS messages)
android.permission.USES_POLICY_FORCE_LOCK (Unknown permission from android
android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot)
android.permission.INTERNET (full Internet access)
android.permission.VIBRATE (control vibrator)
android.permission.WRITE_SMS (edit SMS or MMS)
android.permission.ACCESS_WIFI_STATE (view Wi-Fi status)
android.permission.WAKE_LOCK (prevent phone from sleeping)
android.permission.GET_TASKS (retrieve running applications)
android.permission.CALL_PHONE (directly call phone numbers)
android.permission.WRITE_SETTINGS (modify global system settings)
android.permission.ACCESS_NETWORK_STATE (view network status)
android.permission.READ_PHONE_STATE (read phone state and identity)
android.permission.CHANGE_WIFI_STATE (change Wi-Fi status)
android.permission.READ_SMS (read SMS or MMS)
android.permission.READ_CONTACTS (read contact data)
android.permission.RECEIVE_SMS (receive SMS)

We’ve found three malicious URL the application tries to beacon to:


Marcher C2 URL code



The domains all use the same registration information as follow. We have verified the information, and we can confirm that the address and phone number don’t exist.

Registrant Name: joi frey
Registrant Organization:
Registrant Street: 12 mondo
Registrant City: paris
Registrant State/Province: Paris
Registrant Postal Code: 75014
Registrant Country: FR
Phone: +33.0101256325
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: benoit.parene@laposte[.]net

The email address benoit.parene@laposte[.]net was used to register several domains related to the same threat:

Domain Contact Email Create Date IP Address ASN Country 12/17/16 57043 NL 12/18/16 57043 NL 12/16/16 57043 NL 12/20/16 57043 NL 12/20/16 57043 NL 12/20/16 57043 NL 12/20/16 57043 NL 12/18/16 57043 NL 12/18/16 57043 NL 11/24/16 48693 RU 11/24/16 48693 RU 12/15/16 57043 NL

From the listed IP addresses, we were able to expand on your investigation and find more domains related to android Marche malware. The IP address 185.70.187[.]212 where a few of the Clash of Clans domains are hosted revealed another domain adkjah34[.]com.  This domain has been registered using the following details:

Registrant Organization: JOSE NILSON ALVES PAMPLONA
Registrant Street: RUA DULCE TORRES BROCHADO  2441
Registrant City: UNAI
Registrant State/Province: MG
Registrant Postal Code: 38610000
Registrant Country: BR
Registrant Phone: +55.11943534986
Registrant Email:[.]br

Several other domains were registered with the same details, and at least 5 domains are known Banload C2s. Banload is a Brazilian banking Trojan. The domains are:


Sample of forged websites – hxxp://flash-play[.]com


Flash update forged website


Sample of forged websites – hxxp://clashclanscrack[.]com


Clash of Clans forged website


SHA1(flash_mise_a_jour.apk)= d3ebdb1d4f73ed20d16489ef1a477a843d382edc
SHA1(flash_update.apk)= dc42fcd427054227a6ee2dd92b8356e57f9ead77
SHA1(myfile.apk)= da39a3ee5e6b4b0d3255bfef956018
SHA1(classes.dex)= 8af9b4e9b443a4668da6e715fa8a4e1e58fcff77

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s