A strain of Android malware found lurking on third-party application stores is so packed full of nefarious capabilities it can cause physical damage to smartphones.
Security experts from Moscow-based anti-virus company Kaspersky Lab said Monday (18 December) that a newly discovered Trojan – dubbed Loapi – exploited a handset to the extent that within two days of infection it caused the battery to bulge out of the phone’s cover.
Loapi could be used to “mine” a type of cryptocurrency, overwhelm a device with ads, launch denial-of-service (DoS) cyberattacks, access text messages and connect to the web. The malware was posing as at least 20 variations of anti-virus software and porn applications.
“We’ve never seen such a ‘jack of all trades’ before,” Kaspersky Lab commented in a blog post.
Upon installation, the researchers explained, Loapi forces the user to give it heightened device permissions by looping a pop-up until a victim clicks yes.
Then, it either hides its icon or simulates antivirus activity, seemingly in an attempt to dupe the user into believing the app is legitimate.
Kaspersky Lab said it “aggressively fights any attempts to revoke device manager permissions” by locking the screen and closing windows by itself. By connecting with the hacker’s control and command (C&C) server, it is actually sending a list of real apps that pose it danger.
If it detects a real anti-virus app, it claims it is malware and urges the user to delete it. Again, it shows the message in a loop until the victim finally agrees to delete the application.
According to Kaspersky Lab, it is the app’s crypto-mining that causes the battery to bulge. It uses the device’s computing power in order to produce a digital currency called Monero.
The team said the software appeared to be an new version of “Podec” – a Trojan found in 2015. They wrote: “Loapi is an interesting representative from the world of malicious Android apps.
“It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet.”
The blog post added: “The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time.”
Luckily for Android fans, Loapi was not on the Google App Store. But users should remain vigilant, even on official marketplaces, as malicious software often slips through the cracks.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.