Android/Moghava.A!tr

Analysis

Android/Moghava.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as an application for Iranian food recipes. In background, it corrupts picture files found on the phone.

Technical Details

This malware has been spotted packed along with a non-malicious application for Iranian food recipes (ir.sharif.iranianfoods). The malicious part is contained in the path com.Moghava (where Moghava means card board in Farsi). The malicious package contains the following classes :

• com.Moghava.kicker -> This class listens for when the OS is booted (android.intent.action.BOOT_COMPLETED) and calls the stamper class described below when the condition is fulfilled
• com.Moghava.stamper -> It performs the following functions:
  • It acquires a list of files with the .jpg extension in the path /sdcard/DCIM/Camera on the phone
  • Every image found is overlayed with an image (r.png found in the package resources). As this is done repeatedly, the memory eventually becomes full.

Permissions required by the application:

• WRITE_EXTERNAL_STORAGE
• RECEIVE_BOOT_COMPLETED

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.