Nowadays Trojanized Android apps are evolving rapidly in the Google Play store and are continuously targeting users. A new malware strain Trojan.AndroidOS.Loapi consists of modular architecture which is capable of performing multiple attacks. Security researchers from Kaspersky labs discovered the trojan dubbed “Loapi” which can physically damage the phone by downloading a Monero mining module which generates a constant load that damages the battery and phone cover.

How the Malicious files Distributed – Loapi

Loapi has not reached the Play Store. It is distributed through advertising campaigns. It hides behind some Antivirus, adult content apps, researchers found more than 20 sources that distribute Loapi. Users are redirected to the attacker’s malicious website and the file is downloaded from there.

Once installed, it checks for the root permission, but doesn’t use root privileges. The application attempts to get device administrator permissions.

Execution and Self-Protection

If Loapi obtains admin permissions, it performs various activities and won’t allow users to revoke the device manager permissions by using standard and forcing users to uninstall legitimate Antivirus by posing endless stream of popups.

Initially, it downloads the malicious app file and the second stage the DEX payload which sends the device information to the C&C servers, with the third stage the modules are downloaded and initialized.

Modules Installed

Advertisement module: Involved in the progress of aggressive ads displaying. SMS module: used in Sending requests to C&C Web crawling module: used in Hidden Javascript execution Proxy module: HTTP proxy server used to organize DDoS attacks Mining Monero: Used to perform to perform Monero (XMR) cryptocurrency mining

Researchers found Loapi connected with Trojan.AndroidOS.Podec they are having similar techniques with obfuscation, functionality and detecting root permissions for the device.