Woburn, MA – December 18, 2017 – Kaspersky Lab researchers have identified a new malware with multiple modules, allowing for an almost endless number of malicious features, from crypto currency mining to DDoS attacks. Due to its modular architecture, even more functions can be added to it. This unusual and powerful malicious software is called Loapi.
Loapi stands out from various single-functional Android malware, including banking and crypto mining Trojans, because it has a complex modular architecture that allows it to perform almost limitless actions on a compromised device.
The Loapi Trojan is being spread through advertising campaigns under the disguise of antivirus solutions or adult apps. Once installed, applications request device admin rights and then discreetly initiate communications with command and control servers to install additional modules.
The architecture includes the following modules:
- Adware – used for the aggressive display of advertising on the user’s device
- SMS – used by the malware to perform various operations with text messages
- Web crawler – used to subscribe users to paid services without them knowing; the SMS-module will hide messages from the user, respond to them as needed and then remove all the “evidence”
- Proxy – allows attackers to execute HTTP requests on behalf of the device; these actions can be performed for DDoS attacks
- Monero miner – used to mine the crypto currency Monero (XMR)
In addition to its excessive volume of features, Loapi has the capacity to protect itself. As soon as a user tries to revoke device admin rights, the malware blocks the device’s screen and closes the window. Along with this standard protection technique, Loapi can receive a list of applications that are a danger to it from the command and control servers; these are often security solutions, which intend to remove the malware. If an installed or running application is on the list, the Trojan shows users a fake message saying malicious software has been found and offers users the chance to remove the application. The message is shown on a loop, thus, even if the user refuses to delete the app at first, the message will continue to be displayed until the user finally agrees.
Besides the Loapi approach to self-defense, Kaspersky Lab has also found an interesting twist: tests on one randomly selected mobile phone demonstrated that the malware creates such a heavy workload on an infected device, that it even heats it up and can deform its battery. Apparently, the malware’s authors did not want this to happen, as they are hungry for as much money as they can get by keeping the malware running. However, their lack of attention to the malware’s optimization has led to this unexpected physical “attack vector” and possibly serious damage to user devices.
“Loapi is an interesting representation of Android malware because its authors have embodied almost every possible feature into its design. The reason behind that is simple – it is much easier to compromise a device once and then use it for different kinds of malicious activity aimed at earning illegal money,” said Nikita Buchka, security expert at Kaspersky Lab. “The surprisingly unexpected risk this malware brings is that even though it can’t cause direct financial damage to the user by stealing their credit card data, it can simply destroy the phone. This is not something you would expect from an Android Trojan, even a sophisticated one.”
According to the research, Loapi could possibly be linked to Trojan.AndroidOS.Podec, due to the fact that both Trojans gather similar information for the command and control server at the start. They also have similar obfuscation methods.
Kaspersky Lab researchers advise users to follow these measures in order to protect their devices and private data from possible cyberattacks:
- Disable the ability to install applications from sources other than official app stores
- Keep the OS version of your device up to date in order to reduce vulnerabilities in the software and lower the risk of attack
- Install a proven security solution in order to protect your device from cyberattacks
More information about the Loapi Trojan can be found on Securelist.com.