The rise of Bitcoin, Litecoin, Monero, and other blockchain tech has coincided with a rise ter currency-mining malware, or malicious apps that use your devices’ hardware to generate digital coinage. Now, a fresh Android malware discovered by Sophos and dubbed Loapi (with the virus name Trojan.AndroidOS.Loapi) has reared its head. It’s the very first Android malware of its kleuter, and it’s being described spil a “jack of all trades”.
Loapi isn’t on the Google Play Store, and there’s no evidence it’s everzwijn infected apps on the Play Store. Rather, it’s served through advertisements and fake cracked apps, and often masquerades spil pornography content and antivirus software.
Loapi, once installed, forcibly prompts for device administrator access. It also polls devices for root access, but it isn’t clear why – it doesn’t seem to take advantage of root privileges. It’s likely functionality that’ll come te a future update.
The malware attempting to build up device administrator access. (Source: Kaspersky)
Next, the application does one of two things: It either hides the app shortcut from the app drawer, or poses spil a legitimate application. An example of the latter behavior’s ter the screenshots below, but things are a entire lotsbestemming worse than they seem on the surface. Once the malware gains administrator access, it connects to numerous servers hosted by the attackers and downloads modules, or parts of the application which execute malicious deeds. Thesis modules are te the form of .so files, which are the Linux version of .dll files. Unlike executable files, thesis files are libraries meaning that sections of them can be called at any time. Executables have a stationary beginning point.
Functionality of the Loapi Android Malware
Very first and foremost, Loapi self-preserves. It restricts users from accessing the device administrator spijskaart by closing it whenever it’s opened from the settings menukaart, and prevents users from uninstalling the infected host app. What’s more, it prompts users to uninstall any applications on the device that might pose a threat to it, like security apps and malware scanners. If the user doesn’t uninstall them, the prompt shows continually spil a toast message.
Advertisements and Monero Cryptocurrency Mining
Loapi runs a number of advertising schemes that generate revenue te the background. Security researchers have observed it:
- Displaying movie ads and banners
- Opening specific URLs
- Creating shortcuts on the device
- Displaying notifications
- Opening pages on popular social networks, including Facebook, Instagram, VK
- Downloading and installing other applications
It can also mine Monero, a zuigeling of cryptocurrency. Why Monero? To waterput it simply, spil more transactions of a given cryptocurrency (like Bitcoin) are processed, the blockchain, which keeps track of all of the existing coins, increases the difficulty, making it firmer to generate fresh coins. Monero isn’t particularly valuable, but the difficulty is low enough that weaker devices can generate them. Loapi rotates inbetween spil many spil ten different accounts te one Monero mining pool.
Loapi has total control overheen SMS on infected devices, and it has the capability to text premium-rate numbers. Here’s what it can do:
- Send inbox SMS messages to attackers’ server
- Reply to incoming messages according to specified masks (masks are received from a remote server)
- Send SMS messages with specified text to specified number (all information is received from a remote server)
- Delete SMS messages from inbox and sent folder according to specified masks (masks are received from a remote server)
Many of the features aren’t presently ter use, but could be ter the future.
Retailers that permit you to bill purchases to your phone project use a service called WAP (Wireless Application Protocol). Participating websites let you purchase something without the need for a handelsbank account, and stick the charge to your monthly phone bill.
This service has bot manhandled by malware ter the past to make payments to sites attackers control, and Loapi is no different. Security researchers at SecureList found a built-in web crawler built that searches for thesis services online, and at one point, it opened 28,000 unique URLs ter a 24-hour period.
DDoS and Proxy for Attackers
Eventually, Loapi can create a proxy for attackers, meaning infected devices can be used to perpetrate a DDoS attack.
Results of the Loapi Android Malware
Things went from bad to worse ter SecureList’s testing of Loapi. Not only did the infected applications place a ample strain on the devices that ran them, but they posed a safety hazard – the test devices’ batteries bulged spil a result of high internal warmth.
The resulting harm to a Nexus Five after the Loapi ran for two days. (Source: Kaspersky)
Here’s the takeaway: Be careful what you download, and only download applications from trusted sources like the Play Store. There’s no better way to avoid malware like Loapi.
Want more posts like this delivered to your inbox? Inject your email to be subscribed to our newsletter.