A newly discovered sort of malware targeting Android phones is capable of performing an assortment of malicious actions, from launching DDoS attacks to mining cryptocurrencies.
It does the latter so intensely, the Kaspersky researchers said in a post about the threat, that it can cause the battery to bulge and wreck the phone within two days.
“We’ve never seen such a ‘jack of all trades’ before,” Kaspersky Lab wrote in Monday’s report about the new threat, which the researchers call “Loapi.” According to them, “it’s creators have implemented almost the entire spectrum of techniques for attacking devices”:
The researchers speculate that the strain may have evolved from Podec, a malware family first noticed in 2015. Back then, cyber criminals were using Podec to bypass Advice of Charge (AoC) and CAPTCHAs to subscribe unsuspecting victims to premium-rate SMS services. Whether or not the two are related, Loapi is one of the most adaptable Android trojans to date.
Loapi is currently advertised on third-party app stores, disguised as a mobile antivirus or adult-content app. Luckily for Android fans, Loapi hasn’t been spotted on the Google App Store. However, users should remain vigilant, including on official marketplaces, as malware may slip through the cracks.
After the fake app with malicious files is downloaded and installed, Loapi obtains device administrator rights. The app pushes the user to give it the advanced permissions by looping a pop-up until the victim gives in and clicks yes. As soon as Loapi gains the privileges, it hides its icon from the menu.
Loapi “aggressively fights any attempts to revoke device manager permissions,” according to Kaspersky. If the smartphone owner tries to deprive the app of administrator rights, the Trojan locks down the screen and closes the Settings window. It will even download real malicious apps just to convince the user that they really need the apparent antivirus software.
To remove Loapi, users will have to boot their device in Safe Mode. The procedure to boot into Safe Mode depends on the specific smartphone model.
Loapi deploys up to five distinct modules to take a complete ownership over the user’s phone. For instance, according to Kaspersky, its advertising and subscription sign-up features made 28,000 different requests over a 24-hour period.
Some mobile operators ask to confirm a subscription by sending a text message to the device from which the request came. “In such cases the Trojan uses SMS module functionality to send a reply with the required text,” Kaspersky wrote. What’s more, it immediately deletes all messages (both outgoing and incoming).
Laopi’s mining module uses the processing power of the device to solve complex equations and verify transactions, which then earns the hackers the Monero currency. During the Kaspersky research, Loapi used up system resources so quickly that the battery of the phone used for testing overheated, causing it to expand and burst out of the phone case.
As usual, prevention is better than cure. To avoid falling for the malware con, you should observe a few simple rules.