Loapi malware is a new Android malware variant that is capable of causing permanent damage to Android smartphones.
The new malware variant was recently discovered by researchers at Kaspersky Lab. In contrast to many new malware variants that operate silently and remain on the device indefinitely, Loapi malware infections can be short-lived. Kaspersky performed a test on an Android phone and discovered that within two days the phone had been destroyed.
The aim of the malware is not sabotage. Destruction of the device is just collateral damage that results from the intense activity of the malware. Loapi malware performs a wide range of malicious functions simultaneously, including some processor-intensive activities that cause the device to overheat, causing irreparable damage.
In the test, over the two days, the constant activity caused the device to overheat and the battery to bulge; deforming the device and its cover.
The researchers said Loapi malware is likely no other malware variant they have seen, and the researchers have seen plenty. Loapi malware was called a ‘jack of all trades’ due to its extensive capabilities. The malware is used to mine the cryptocurrency Monero, a processor-intensive process. The malware uses processing power of infected devices to create new coins. While the mining process is less intensive than for Bitcoin, it still takes its toll.
Additionally, the malware allows infected devices to be used in DDoS attacks, making constant visits to websites to take down online services. The malware is used to spam advertisements, and bombards the user with banners and videos
The malware will silently subscribe to online services, and if they require text message confirmation, that is also handled by the malware. The malware gains access to SMS messages and can send text messages to any number, including premium services. Text messages are used to communicate with its C2 server. Messages are subsequently deleted by the malware to prevent detection by the user, along with any text message confirmations of subscriptions to online services. Kaspersky Lab researchers note that the malware attempted to access more than 28,000 URLs in the two days of the test.
Any apps that are installed on the device that could potentially affect the functioning of the malware are flagged with a false warning that the app contains malware, telling the user to uninstall them. The user will be bombarded with these messages until the app is uninstalled, while other security controls prevent the user from uninstalling the malware or deactivating its admin privileges.
There is little the malware cannot do. The researchers point out that the only function that Loapi does not perform is spying on the user, but since the modular malware can be easily updated, that function could even be added.
While conclusive proof has not been obtained, Kaspersky Lab strongly suspects the malware is the work of the same cybercriminal operation that was behind Podec malware.
So how is Loapi malware distributed? Kaspersky notes that as is common with other Android malware variants, it is being distributed by fake apps on third-party app stores, most commonly disguised as anti-virus apps. A fake app for a popular porn website has also been used. Additionally, fake adverts have been detected that promote these fake apps, with more than 20 separate locations discovered to be pushing the malware.
The malware has not yet been added to the Google Play store, so infections can be prevented by always using official app stores.