Loapi - A newly discovered piece of Android malware carries out a litany of malicious activities, including showing an almost unending series of ads, participating in distributed denial-of-service attacks, sending text messages to any number, and silently subscribing to paid services. Its biggest offense: a surreptitious cryptocurrency miner that's so aggressive it can physically damage an infected phone.
Trojan.AndroidOS.Loapi is hidden inside apps distributed through third-party markets, browser ads, and SMS-based spam.
Researchers from antivirus provider Kaspersky Lab have dubbed it a "jack of all trades" to emphasize the breadth of nefarious things it can do. Most notably, Loapi apps contain a module that mines Monero, a newer type of digital currency that's less resource intensive than Bitcoin and most other cryptocurrencies. The module allows the malware creators to generate new coins by leaching the electricity and hardware of infected phone owners.
Kaspersky Lab researchers tested Loapi in a lab setting. After two days, the mining caused the battery in the phone to bulge so badly it deformed the cover. The researchers provided the pictures as evidence.
We've never seen such a 'jack of all trades' before," Kaspersky Lab researchers wrote.
According to researchers, the cybercriminals behind Loapi are the same responsible for the 2015 Android malware Podec. They are distributing the malware through third-party app stores and online advertisements that pose as apps for "popular antivirus solutions and even a famous p**n site."
A screenshot in the Kaspersky blog suggests that Loapi impersonates as at least 20 variations of adult-content apps and legitimate antivirus software from AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web and CM Security, among others. Upon installation, Loapi forces the user to grant it 'device administrator' permissions by looping a pop-up until a victim.
Loapi Malware Aggressively Fights to Protect Itself
Researchers also said the malware "aggressively fights any attempts to revoke device manager permissions" by locking the screen and closing phone windows by itself.
Loapi communicates with the module-specific command and control (C&C) servers, including advertisement module, SMS module and mining module, web crawler, and proxy module, for different functions to be performed on the infected device.
By connecting with one of the above-mentioned C&C servers, Loapi sends a list of legitimate antivirus apps that pose it danger and claims the real app as malware and urges the user to delete it by showing the pop-up in a loop until the user finally deletes the app.
Fortunately, Loapi failed to make its ways to Google Play Store, so users who stick to downloads from the official app store are not affected by the malware. But you are advised to remain vigilant even when downloading apps from Play Store as malware often makes its ways to infect Android users.
How to protect yourself from the Loapi Trojan
As is often the case, prevention is better than cure. To avoid swallowing the malware bait, observe some simple rules.
1. Install apps only from official stores. Google Play has a dedicated team responsible for catching mobile malware. Trojans do 2. occasionally infiltrate official stores, but the chances of encountering one there are far lower than on dubious sites.
3. Disable the installation of apps from unknown sources for added security. To do so, in Settings go to Security and ensure that the Unknown sources check box is not selected.
4. Always pay attention to what access permissions an app requests during installation, even if you downloaded it from Google Play (there might be Trojans in the official app store as well).
5. Don’t install what you don’t really need. As a general rule, the fewer applications you install, the more secure your device is.
6. Get a reliable and proven AV for Android
Jack of all trades
Trojan.AndroidOS.Loapi is hidden inside apps distributed through third-party markets, browser ads, and SMS-based spam.
Researchers from antivirus provider Kaspersky Lab have dubbed it a "jack of all trades" to emphasize the breadth of nefarious things it can do. Most notably, Loapi apps contain a module that mines Monero, a newer type of digital currency that's less resource intensive than Bitcoin and most other cryptocurrencies. The module allows the malware creators to generate new coins by leaching the electricity and hardware of infected phone owners.
Kaspersky Lab researchers tested Loapi in a lab setting. After two days, the mining caused the battery in the phone to bulge so badly it deformed the cover. The researchers provided the pictures as evidence.
We've never seen such a 'jack of all trades' before," Kaspersky Lab researchers wrote.
According to researchers, the cybercriminals behind Loapi are the same responsible for the 2015 Android malware Podec. They are distributing the malware through third-party app stores and online advertisements that pose as apps for "popular antivirus solutions and even a famous p**n site."
A screenshot in the Kaspersky blog suggests that Loapi impersonates as at least 20 variations of adult-content apps and legitimate antivirus software from AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web and CM Security, among others. Upon installation, Loapi forces the user to grant it 'device administrator' permissions by looping a pop-up until a victim.
Loapi Malware Aggressively Fights to Protect Itself
Researchers also said the malware "aggressively fights any attempts to revoke device manager permissions" by locking the screen and closing phone windows by itself.
Loapi communicates with the module-specific command and control (C&C) servers, including advertisement module, SMS module and mining module, web crawler, and proxy module, for different functions to be performed on the infected device.
By connecting with one of the above-mentioned C&C servers, Loapi sends a list of legitimate antivirus apps that pose it danger and claims the real app as malware and urges the user to delete it by showing the pop-up in a loop until the user finally deletes the app.
Fortunately, Loapi failed to make its ways to Google Play Store, so users who stick to downloads from the official app store are not affected by the malware. But you are advised to remain vigilant even when downloading apps from Play Store as malware often makes its ways to infect Android users.
How to protect yourself from the Loapi Trojan
As is often the case, prevention is better than cure. To avoid swallowing the malware bait, observe some simple rules.
1. Install apps only from official stores. Google Play has a dedicated team responsible for catching mobile malware. Trojans do 2. occasionally infiltrate official stores, but the chances of encountering one there are far lower than on dubious sites.
3. Disable the installation of apps from unknown sources for added security. To do so, in Settings go to Security and ensure that the Unknown sources check box is not selected.
4. Always pay attention to what access permissions an app requests during installation, even if you downloaded it from Google Play (there might be Trojans in the official app store as well).
5. Don’t install what you don’t really need. As a general rule, the fewer applications you install, the more secure your device is.
6. Get a reliable and proven AV for Android
Jack of all trades
Last edited: