A nasty piece of Android malware spreading online contains a cryptocurrency miner that can overheat a phone in two days if it's not removed.
Researchers at Kaspersky Lab have found over 20 trojanized porn and security apps with malware called Loapi that plunders a phone's hardware for a range of money making schemes. Besides forcing infected devices to mine the Bitcoin alternative Monero, the malware also uses devices as part of a likely for-hire traffic attack service, and to display unwanted ads.
The most harmful impact though is its mining functionality, which is so aggressive it could potentially create a fire hazard if it's not stopped. Kaspersky researchers installed the malware on a test phone, which wrecked the device after two days due to the incessant mining. As shown in the picture above, just 48 hours after infection the device’s battery had bulged and warped the back cover.
All of Loapi’s current functions are designed to earn its operators revenue from victims’ hardware and screens. The only missing malicious feature is a tool to spy on victims, though this capability may be added in the future thanks to the malware’s modular design.
The trojan also has a web crawling module that allows the attacker to subscribe to paid services on behalf of the victim. Additionally, it can send SMS messages, which is used to send requests to the attacker’s command and control server to retrieve commands.
Meanwhile, the advertising module allows the malware to display video and banner ads, open any specified website, create shortcuts on the device, show notifications, open pages on Facebook, Instagram and Russian social network VK, and download other apps.
The malware appears to be connected to another piece of modular Android malware known as Podec, which had two modules designed to subscribe to paid-for services.
Fortunately, this malware hasn’t been seen on Google Play. The researchers note the Loapi trojan apps are spreading via advertising campaigns, which redirect victims to a malicious web page in order to download the malware.
The security app front may enhance Loapi’s creators chances of the victim approving device administrator permissions. However it also gives victims little choice but to grant this permission by locking them in a message loop until the victim concedes. The malware also prevents victims from removing these permissions by locking the screen and closing the device manager settings.
Further, the malware can receive a list of apps that are a threat to it, such as legitimate anti-malware products, which it then prompts the user to uninstall. Again, the malware uses message loops to give the victim little choice but to remove the legitimate anti-malware.