The rise of Bitcoin, Litecoin, Monero, and other blockchain tech has coincided with a rise in currency-mining malware, or malicious apps that use your devices’ hardware to generate digital coinage. Now, a new Android malware discovered by Sophos and dubbed Loapi (with the virus name Trojan.AndroidOS.Loapi) has reared its head. It’s the first Android malware of its kind, and it’s being described as a “jack of all trades”.
Loapi isn’t on the Google Play Store, and there’s no evidence it’s ever infected apps on the Play Store. Rather, it’s served through advertisements and fake cracked apps, and often masquerades as pornography content and antivirus software.
Loapi, once installed, forcibly prompts for device administrator access. It also polls devices for root access, but it isn’t clear why — it doesn’t seem to take advantage of root privileges. It’s likely functionality that’ll come in a future update.
Next, the application does one of two things: It either hides the app shortcut from the app drawer, or poses as a legitimate application. An example of the latter behavior’s in the screenshots below, but things are a whole lot worse than they seem on the surface. Once the malware gains administrator access, it connects to multiple servers hosted by the attackers and downloads modules, or parts of the application which execute malicious actions. These modules are in the form of .so files, which are the Linux version of .dll files. Unlike executable files, these files are libraries meaning that sections of them can be called at any time. Executables have a fixed starting point.
Functionality of the Loapi Android Malware
First and foremost, Loapi self-preserves. It restricts users from accessing the device administrator menu by closing it whenever it’s opened from the settings menu, and prevents users from uninstalling the infected host app. What’s more, it prompts users to uninstall any applications on the device that might pose a threat to it, like security apps and malware scanners. If the user doesn’t uninstall them, the prompt shows continually as a toast message.
Advertisements and Monero Cryptocurrency Mining
Loapi runs a number of advertising schemes that generate revenue in the background. Security researchers have observed it:
- Displaying video ads and banners
- Opening specific URLs
- Creating shortcuts on the device
- Showing notifications
- Opening pages on popular social networks, including Facebook, Instagram, VK
- Downloading and installing other applications
It can also mine Monero, a kind of cryptocurrency. Why Monero? To put it simply, as more transactions of a given cryptocurrency (like Bitcoin) are processed, the blockchain, which keeps track of all of the existing coins, increases the difficulty, making it harder to generate new coins. Monero isn’t particularly valuable, but the difficulty is low enough that weaker devices can generate them. Loapi rotates between as many as ten different accounts in one Monero mining pool.
Loapi has full control over SMS on infected devices, and it has the ability to text premium-rate numbers. Here’s what it can do:
- Send inbox SMS messages to attackers’ server
- Reply to incoming messages according to specified masks (masks are received from a remote server)
- Send SMS messages with specified text to specified number (all information is received from a remote server)
- Delete SMS messages from inbox and sent folder according to specified masks (masks are received from a remote server)
Many of the features aren’t currently in use, but could be in the future.
Retailers that allow you to bill purchases to your phone plan use a service called WAP (Wireless Application Protocol). Participating websites let you purchase something without the need for a bank account, and stick the charge to your monthly phone bill.
This service has been abused by malware in the past to make payments to sites attackers control, and Loapi is no different. Security researchers at SecureList found a built-in web crawler built that searches for these services online, and at one point, it opened 28,000 unique URLs in a 24-hour period.
DDoS and Proxy for Attackers
Finally, Loapi can create a proxy for attackers, meaning infected devices can be used to perpetrate a DDoS attack.
Results of the Loapi Android Malware
Things went from bad to worse in SecureList’s testing of Loapi. Not only did the infected applications place a huge strain on the devices that ran them, but they posed a safety hazard — the test devices’ batteries bulged as a result of high internal heat.
Here’s the takeaway: Be careful what you download, and only download applications from trusted sources like the Play Store. There’s no better way to avoid malware like Loapi.
Via: Pixel Spot
Rojenx is a leading concept artist who work appears in games and publications
Check out his personal gallery here