March 2, 2012

Doctor Web—a leading Russian information security software developer— informs Android users about a new threat to Android, dubbed Android.Moghava. The Trojan horse searches for JPEG images on a memory card connected to the device and modifies them.

This malware has allegedly been developed in Iran and spreads under the Iranian Foods name via third-party sites providing access to a collection of software for Android. Unlike many other Trojan horses for this platform, Android.Moghava doesn't aim at bringing profit to criminals.

The malicious payload is contained in a module installed as a service named stamper. This service starts periodically and searches for JPEG images on a memory card connected to the device, particularly in the /DCIM/Camera/ folder, which by default stores photos made with the phone camera. If the Trojan horse finds image files in the folder, it adds a Ruhollah Khomeini portrait to all the images.

Despite the fact that the threat signature has been added to the virus database used by Dr.Web for Android Anti-virus + Anti-spam and Dr.Web for Android Light and the Trojan horse is successfully removed during scanning, damaged photos in most cases will not be restored. In addition, unauthorized modification of image files significantly increases their size, which reduces memory card free space significantly or may leave no free space at all.