Loapi: This malware is capable of destroying Android smartphones

Security researchers from cyber security firm Kaspersky Lab have discovered a new strain of malware that targets Android smartphones and is capable of performing a plethora of malicious activities, from mining cryptocurrencies to launching Distributed Denial of Service (DDoS) attacks and much more.

The new Android Trojan dubbed as “Loapi” has a complicated modular architecture that is capable of performing multiple attacks to such an extent that it can cause the battery to bulge and destroy the device within two days. According to the researchers, the cybercriminals behind this malware are the same responsible for the 2015 Android malware Podec.

Kaspersky Lab researchers have called Loapi a “jack of all trades” and unlike any malware they had seen before. The malware installs modules for advertisement, SMS, web crawling, proxy and a module for mining Monero.

“Loapi is an interesting representative from the world of malicious Android apps. Its creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time,” warn the security researchers.

According to researchers, Loapi is being distributed through third-party app stores and online advertisements. These usually hide as apps behind “popular antivirus solutions and even a famous porn site.”



After the malicious files are downloaded and installed, Loapi will ask for device administrator permissions in a loop until the user agrees. The malware also checks if the device is rooted, but it doesn’t use root privileges. After acquiring admin privileges, it performs various activities and aggressively fights any attempts to revoke device manager permissions by users. The user will be spammed with endless stream of popups until the user is forced to agree and deleted the application.

The malware communicates with the module-specific command and control (C&C) servers, including module which displays continuous ads and videos, Monero cryptocurrency miner, and a module that allows attackers to send HTTP requests from the victim’s device. Researchers suggest the latter can be used to organize DDoS attacks against specified resources.

In order to get rid of Loapi, users will need to boot to safe mode. Or else, Loapi-infected apps will repeatedly close the Settings window so that users cannot deactivate admin privileges. The process to boot into Safe Mode differs from one smartphone model to another.

For analyzing a Loapi sample, the researchers carried out a test on an Android smartphone. The device was completely destroyed after two days of testing. They noted, “Because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover.”

Fortunately, Loapi has not made it onto the official Google Play Store, which means that users who download from the official app store are not affected by the malware. However, users are advised to stay vigilant.

Source: The Hacker News , CSO