Adding to the pack of Android malware, Kaspersky Lab has spotted a new Android malware sample called “Trojan.AndroidOS.Loapi”. The researchers have managed to link Loapi with another trojan called “Trojan.AndroidOS.Podec” which was active in 2015.
Other than mining cryptocurrency, the jack of all trades Loapi can also be used to display ads, launch DDoS attacks from the target device, manage SMS, subscribe users to paid services, etc. All of this is possible because of Loapi’s architecture which comprises of different modules. This also makes it possible to add more functionality at a later point in time.
According to a blog post by the researchers, the Loapi malware is being spread through advertising campaigns. They have found around 20 domains masqueraded as the websites of popular Antivirus solutions and pornography websites including.
The malware is wrapped inside many known Android apps which are downloaded by the victims after getting redirected to the malicious websites created by the attackers.
The malware apps are designed to simulate the working of the real app they impersonate while doing their evil tasks in the background.
Once installed, the malicious apps try to obtain administrator privileges on the device by continuously promoting the users until they agree. The situation gets worse when the user tries to revoke the permissions in device manager settings. As a self-destructive measure, the malware app closes the screen and locks the device.
The researchers also found that the malware sources a list of apps (such as legitimate AV apps) from its C&C that could be dangerous to the malware itself. It repeatedly displays fake malware warning alerts when it senses that “those dangerous apps” are installed on the device.
Regarding the cryptocurrency mining, the malware apps are designed to mine Monero from the users’ devices. The researchers installed an Android app with Loapi trojan on a test device. After two days, the constant load by the mining module caused the battery to bulge and damage the device physically.
Also Read: Linux And Windows Machines Being Attacked By “Zealot” Campaign To Mine Cryptocurrency
