Kaspersky Lab researchers have identified a new malware with multiple modules, which allows for an almost endless number of malicious features – from crypto currency mining to DDos attacks.
Due to its modular architecture, even more functions can be added to it.
This unusual malicious software is called Loapi.
Loapi stands out from the crowd of various single-functional Android malware, including banking Trojans, crypto mining Trojans because it has a complex modular architecture that allows it to perform almost limitless actions on a compromised device.
The Loapi Trojan is being spread through advertising campaigns under the guise of antivirus solutions or apps for adults.
Once installed, applications request device admin rights and then discreetly initiate communications with command and control servers to install additional modules.
The architecture includes the following modules:
Adware module – used for the aggressive display of advertising on the user’s device.
SMS module – used by the malware to perform various operations with text messages.
Web crawler module – used to subscribe users to paid services without them knowing.
The SMS-module – hides messages from the user, respond to them as needed, and then remove all the “evidence”.
Proxy module – allows attackers to execute HTTP requests on behalf of the device. These actions can be performed for DDoS attacks.
Monero miner module – used to mine the crypto currency Monero (XMR).
As well as its excessive volume of features, Loapi has the capacity to protect itself.
As soon as a user tries to revoke device admin rights, the malware blocks the device’s screen, and closes the window.
In addition to this standard protection technique, Loapi can receive a list of applications that are dangerous to it from the command and control.
If an installed or running application is on the list, the Trojan shows users a fake message saying malicious software has been found, and offering users the chance to remove the application.
The message is shown in a loop, thus, even if the user refuses to delete the app at first, the message will be displayed again and again until the user finally agrees.
Besides the Loapi approach to self-defense, Kaspersky Lab research has also found an interesting twist: tests on one randomly selected mobile phone demonstrated that the malware creates such a heavy workload on an infected device, that it even heats it up, and can deform its battery.
Apparently, the malware’s authors hardly wanted this to happen, as they are hungry for as much money as they can get by keeping the malware running.
But their lack of attention to the malware’s optimisation has led to this unexpected physical “attack vector” and possibly serious damage to user devices.
“Loapi is an interesting representative of the world of Android malware because its authors have embodied almost every feature possible into its design.
The reason behind that is simple – it is much easier to compromise a device once and then to use it for different kinds of malicious activity aimed at earning illegal money.
The surprisingly unexpected risk which this malware brings is that even though it can’t cause direct financial damage to the user by stealing their credit card data, it can simply destroy the phone.
“This is not something you would expect from an Android Trojan, even a sophisticated one.” Nikita Buchka, security expert at Kaspersky Lab said.
According to the research, Loapi could possibly be linked to Trojan.AndroidOS.Podec.
This is due to the fact that both Trojans gather similar information for the command and control server at the start.
They also have similar obfuscation methods. Kaspersky Lab researchers advise users to follow these measures in order to protect their devices and private data from possible cyberattack.
Disable the ability to install applications from sources other than official app stores.
Keep the OS version of your device up to date in order to reduce vulnerabilities in the software and lower the risk of attack.
Install a proven security solution in order to protect your device from cyberattack.