Loapi Android Trojan Does All Sorts of Bad

A recently discovered Android malware features a modular architecture that allows it to perform a broad range of nefarious activities, Kaspersky Lab researchers warn.

Detected by Kaspersky as Trojan.AndroidOS.Loapi, the malicious program was found masquerading as antivirus solutions or adult content apps. Its capabilities, the security researchers say, range from mining for cryptocurrencies to displaying a constant stream of ads and to launching distributed denial of service (DDoS) attacks, among others.

The mobile threat was observed distributed via advertising campaigns that redirected users to the attackers’ malicious websites. After installation, the malware attempts to gain device administrator rights, continuously requesting them in a loop. Although it checks whether the device is rooted, the Trojan doesn’t use root privileges.

If the user gives in and grants the malicious app admin privileges, Loapi either hides its icon in the menu or simulates antivirus activity. The displayed behavior depends on the type of application it masquerades as, Kaspersky has discovered.

The Trojan can prevent users from revoking its device manager permissions by locking the screen and closing the window with device manager settings. Moreover, the malware receives from the command and control (C&C) server a list of apps that could pose a danger and uses it to monitor the installation and launch of those apps.

When such an app is installed or launched, the Trojan displays a fake message claiming it has detected malware, prompting the user to delete it. The message is displayed in a loop, thus preventing the user from dismissing it until the application is deleted.

At installation, Loapi receives from the C&C lists of modules to install or remove, a list of domains that serve as C&C, an additional reserved list of domains, the list of “dangerous” apps, and a flag whether to hide its app icon. At a third stage during the process, the necessary modules are downloaded and initialized.

An advertisement module is used to aggressively display ads on the device, but can also be used to open URLs, create shortcuts, show notifications, open pages in popular social network apps (including Facebook, Instagram, VK), and download and install other applications.

An SMS module can perform various text message manipulation operations. Based on C&C commands, it can send inbox SMS messages to attackers’ server, reply to incoming messages, send SMS messages with specified text to specified number, delete SMS messages from inbox and sent folder, and execute requests to URL and run specified JavaScript code in the page received as response.

A Web crawling module can subscribe users to services by covertly ex
ecuting JavaScript code on web pages with WAP billing, in addition to performing web page crawling. Should operators send text messages asking for confirmation, the SMS module is employed to reply with the required text. Together with the ad module, it was observed attempting to open 28,000 unique URLs on a single device during a 24-hour experiment.

The Trojan also packs a proxy module that allows attackers to send HTTP requests from the victims’ devices via an HTTP proxy server. This feature allows the malware authors to organize DDoS attacks against specified resources or to change the Internet connection type on a device, the security researchers warn.

Another module uses the Android version of minerd to mine for the Monero (XMR) cryptocurrency.

According to Kaspersky, Loapi might be related to the Podec malware (Trojan.AndroidOS.Podec), as both threats use the same C&C server IP address, both use the same obfuscation, and feature similar ways of detecting superuser on the device. Moreover, both collect information with similar structure and content and send it in JSON format to the C&C during the initial stage.

“Loapi is an interesting representative from the world of malicious Android apps. Its creators have implemented almost the entire spectrum of techniques for attacking devices […]. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time,” Kaspersky concludes.

Related: WAP Billing Trojans Threaten Android Users

Related: Multi-Stage Android Malware Evades Google Play Detection