Android.Moghava: A Recipe for Mayhem

When you know that the goal of a piece of code is to ultimately result in monetary gain for the author, analysis becomes a lot easier; it is a matter of just putting the pieces together until you can figure out how the payload is translated into tangible value. But take away the monetary gain element and, even if you are able to find out what makes something tick in minute detail, you are never quite sure what the final intent of the author was.

However, in the case of Android.Moghava, while there appears to be no monetary gain involved, I would describe it as a juvenile stunt with slight overtones of political satire.

From our analysis of an Iranian recipe app infected with this threat (distributed from a third party and not the Android market), the malware is embedded as an additional package called Moghava. Moghava in Farsi translates as “cardboard”. 

The code is executed when the device is turned on and runs in the background in regular intervals as a service called stamper. When the service runs, it searches for images with a .jpg extension in the path /sdcard/DCIM/Camera/ and overlays each image that it finds with another image. The threat continues to do this, which leads to the images increasing in size to the point where the memory card becomes full.

The image used by the threat appears to be related to the 33rd anniversary of the return of the Ayatollah Khomeini from exile. This is the first threat discovered so far for the Android platform that actually targets content recorded on a device with the intention of damaging the data.

Even though disinfection of the device is just a matter of uninstalling the app, the damage done to images may be beyond repair. We are still attempting to gauge the exact impact of this threat, as well as identify additional apps that contain this Trojan.