Illicit Android Image Stamper Overlays All Images on Your Phone or Tablet
Android malware usually involves data-stealing Trojans or other malicious software that attempts to steal personal information or money. But we’ve encountered an interesting new threat that’s not bent on collecting data or even act covertly for that matter.
Detected as Android.Trojan.Stamper.A, its purpose is to overwrite every image on your device with a predefined sample chosen by the attacker. We have encountered the same behavior with Android.Trojan.Moghava.A.
While Moghava was distributed via a compromised app that offered Iranian food recipes, Stamper has been spotted in a fan news app for a popular Japanese girl band known as “AKB48”. With both Trojans behaving the same, it’s hard not to ignore the possibility that we could be looking at the same malware coder or at least someone who refurbished the existing code.
Android.Trojan.Stamper.A waits for the device to boot and then pulls a list of all stored .jpg files. Every image is then overlaid with a predefined sample chosen by the attacker. Named “r.png”, the “stamper” image is stored in the package resources and waits for the “com.voteforwota.stamper” function to trigger its use.
Wota is the name of one of the girls from AKB48 and this is probably a fan’s way of letting everyone know that she’s the best at what she does. The overlaid baby image seems to come from a premium member subscription at AKB Official Net, where those who register can have virtual babies with their favorite AKB48 girl. Just by uploading their image and selecting one of the girls, a virtual baby is rendered, envisioning a possible parenting scenario.
The fact that all your images get overwritten with something else is no laughing matter and you should be aware of what you’re downloading and from where. Making use of an antivirus solution always adds an extra layer of security.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.
This article is based on the technical information provided courtesy of Ioan Lucian STAN, Malware Researcher.