The trojan uses adverts to direct Android phones to malicious websites, installing itself and asking for admin permissions under the guide of virus scanners or adult websites. If the user decides against those permissions, the app will loop, and continue asking until they consent. The app then hides its icon or masquerades as a real virus scanner. The second a user tries to revoke permissions, it will lock the screen and close the window. If a real virus scanner kicks in, Loapi’s fake one will detect it as malware and ask the user to uninstall it.
Multi-purpose Modules
From there, it’s all bad news. Loapi deploys up to five modules, each with a different purpose, to completely own the user’s phone. As well as intrusive advertisements, it can send, receive, reply to, and delete text messages. Combined with a web crawling module, it can use that functionality to sign the user up for various paid services, which it will confirm automatically. In the testing of Kaspersky Lab, it tried to open 28,000 unique URLs in a 24-hour period. A proxy module, meanwhile, attempts DDoS attacks against specified services. However, the real kicker comes in Loapi’s cryptocurrency miner. It uses the user’s hardware to mine Monero, a highly anonymous currency. Combined with the generated traffic, it caused enormous load on Kaspersky’s test device, bulging and deforming the battery and destroying the phone’s back cover. Kaspersky found links between this Laopi and a previous Android one known as Podec, a 2015 SMS trojan that could bypass Captcha. C&C IP addresses, as a similar structure and methods make it likely, but not conclusive. Whatever the case, it’s one of the most adaptable Android trojans to date “The only thing missing is user espionage,” said the Kaspersky team, “but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time.”