On December 18, 2017, Kaspersky Lab announced the discovery of a previously undetected trojan named “Loapi” through a blog post on its website. At face value, this malware may seem like just another in the long list of many others that have also been discovered to exist within the Android ecosystem over the past few years. The malware in question, however, aggressively runs a cryptocurrency miner on devices to the point of physical hardware failure.
Bombardment of Notifications
Unlike other malware, the Loapi Trojan does not attempt to cleverly conceal its identity and sneak onto the Google Play Store, nor does it try to secretly siphon user identity and potentially private data on the device it infects. Instead, users obtain the virus through ad banners on illegal websites, adult-content apps and ironically, fake anti-virus applications. While an innocuous app install screen greets users, things quickly start falling apart post-installation.
Upon successful installation of the app carrying the malware, the user is prompted to provide it with administrator access to the device. The app is pretty blatant in its attempts to get the user’s attention, indicated by the bombardment of notifications that it sends until the user caves and grants the app admin access.
Giving a mobile application administrator access equates to providing free control over the entire phone’s operation. Once granted, the app can, at its own discretion, decide to show banners and video advertisements, open Facebook web pages and even run cryptocurrency miners in the background during normal phone operation, until bringing the phone to an unusable crawl.
Mobile Cryptocurrency Miners
The last point is one of great concern here. With monero miners making their way onto websites and desktops, it was only a matter of time before mobiles were affected too. Mobile cryptocurrency miners are particularly harmful due to their tendency to cause irreversible damage to hardware. In Kaspersky Lab’s testing, the Loapi trojan caused a test smartphone to overheat due to prolonged processor usage. Furthermore, after a mere 48 hours of continuous operation and presumed mining, lab technicians also found that the smartphone battery fried.
The blog post also highlighted how the trojan could force a device into contributing to a botnet, which would ultimately lead to distributed denial of service (DDoS) attacks against web resources. With the administrator permission granted, the malware can execute its built-in proxy server and potentially spam a large number of HTTP requests over the internet.
Kaspersky Lab concluded their blog post by encouraging users to be wary of apps found outside the Google Play Store and recommend the usage of a reputed anti-virus application. While it is no secret that Google does not carefully curate apps on the Android marketplace the way Apple does on its App Store, installing apps from unknown sources presents a much more significant threat.
Earlier in 2017, Google announced the rollout of its Play Protect program designed to keep malware out of the Play Store. Little can be done, however, when the mode of installation lies outside the realm of Google’s offerings.