TrendMicro found a RU(Russia) domain contain fake Flash Player for Android three days ago. Further tracking the similar web sites, AegisLab found it's a systemantic malware distribution. The malware writers collabrate/setup some blogs to advertise those APP domain and dedicated web pages. The APP domains are:

hxxp://android-google-play.ru/ hxxp://sims3android.ru/
hxxp://www.fruitninjaandroid-apk.ru/
hxxp://www.flashplayerandroid-apk.ru/
hxxp://www.cuttherope-android-apk.ru/
hxxp://www.cuttherope-experiments-apk.ru/
hxxp://www.cuttherope-apk.ru/
hxxp://www.angrybirds-android-apk.ru/
hxxp://www.jellydefense.ru/
hxxp://www.templerun-android.ru/

   And all the download currently leads to hxxp://www.radeon9200.net/download1/{deleted}, note that each download, the malware download server will inject some junk files into the APK file, in order to create different hash value of the APK to fool the antimalware programs.

    Right now most of antimalware program still can identify those malicious APKs, user have to be careful before install program from untrusted sources.

 

By AegisLab