Lopi a new ache of malware targeting Android phones is competent of performing a plethora of malicious activities, from mining cryptocurrencies to launching DDoS attacks — and so numerous of malicious functions in between those heights that it can cause the battery to bulge and destroy the phone within two days.
the new malware is known as ‘Loapi’ has such a difficult modular planning that Kaspersky Lab researchers called it a “jack of all trades” and unlike any malware, they had seen before. It looks like advertisement module, a testing module, a web lagging module, a proxy module and a module for mining Monero. Loapi also aggressively fights to defend itself.
Kaspersky Lab researchers warned:
Loapi is an interesting representative of the world of malicious Android apps. Its creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time.
Loapi, which may have been created by the same cyber thief stable for the 2015 Android malware Podec, is distributed on third-party app stores. Researchers found that Loapi is usually disguised as apps for “popular antivirus solutions and even a famous porn site.”
After the malicious files are downloaded and installed, the app obtains device administrator permissions by using popups. Kaspersky showed an example of a supposed security app needing the user to activate administrator permissions. After acquiring admin privileges, the app either hides its icon or pretends to do what it is supposed to be doing, such as running an antivirus scan.
Loapi malware modules
One Loapi module is for spamming advertisements, opening various URLs, including pages in popular social networks such as Facebook or Instagram, as well as for displaying videos ads and banners.
The proxy module can be used to launch DDoS attacks, and the mining module forces the Android to mine for Monero.
Another module is focused on manipulating text messages, using SMS messages to communicate with the attackers’ Command and Control (C&C) server. It also deletes text messages from the inbox and sent folder to keep the user in the dark about the information received from the C&C server.
Yet another module is related to a web crawler, using hidden JavaScript to subscribe users to various services. If the subscription requires a text message verification, Loapi takes care of that, too. The researchers remarked, “This module, mutually the advertisement module, tried to open about 28,000 unique URLs on one device during our 24-hour experiment.”
Loapi’s aggressive self-protection
As it appears to self-defense, Loapi “aggressively fights any attempts to reverse device manager permissions,” including installing a list of apps from the C&C server that endanger the malware. If that app is installed or launched, then Loapi displays a fake message claiming to have detected malware and asks the victim to uninstall it.
The victim will be spammed with this popup until finally caving and selecting uninstall. The researchers wrote, “This message is shown in a loop, so even if the user rejects the offer, the message will be shown again and again until the user finally agrees and deletes the application.”
To surely take rid of Loapi, users will be required to boot to safe mode. Until, the malware will regularly close Settings so users cannot deactivate admin privileges.
Loapi destroyed an Android in two days
The researchers showed the test Android used while analyzing the malware. It was completely trashed after two days of testing. They noted, “Because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover.”