Kaspersky Lab researchers warn that they have found a malicious program which features a modular architecture that allows performing various maleficent activities. The mobile threat is called Trojan.AndroidOS.Loapi and it is disguised as antivirus solutions or adult content applications.
According to the security experts, the trojan capabilities vary from mining for cryptocurrencies to displaying a constant stream of ads and launching distributed denial of service (DDoS) attacks, among others.
Usually, Trojan.AndroidOS.Loapi is distributed via advertising campaigns which redirect users to the hackers’ malicious websites. Being installed onto the system, the trojan tries to gain device administrator rights, continuously requesting them in a loop.
Despite the fact that the threat checks whether the device is rooted or not, Trojan.AndroidOS.Loap doesn’t use any root privileges. In case the user grants the malicious application admin privileges, the trojan either hides its icon in the menu or simulates antivirus activity.
According to the Kaspersky researchers, the displayed behavior of Trojan.AndroidOS.Loapi usually depends on the type of application it masquerades as. The threat is capable of preventing users from revoking its device manager permissions by locking the screen and closing the window with device manager settings.
The nasty trojan receives from the command and control (C&C) server a list of apps which could pose a danger and uses it to monitor the installation and launch of those applications. When such an app is installed or launched, the trojan shows a fake message claiming that it has detected malware, asking the user to delete it. The message is displayed in a loop to prevent the user from dismissing it until the application is deleted.
During the installation process, Trojan.AndroidOS.Loap receives from the C&C lists of modules to install or remove, a list of domains that serve as C&C, an additional reserved list of domains, the list of “dangerous” applications, and a flag whether to hide its app icon. During the third stage of the process, the necessary modules are downloaded and initialized.
There is an advertisement module which is used to constantly display adverts on the device, which can also be used to open URLs, create shortcuts, show notifications, open pages in popular social network applications (including Facebook, Instagram, VK), as well as to download and install some other apps.
The SMS module can perform various text message manipulation operations. Based on C&C commands, the module is capable of sending inbox SMS messages to the hackers’ server, replying to incoming messages, sending SMS messages with specified text to specified number, deleting SMS messages from inbox and sent folder, and executing requests to URL and running specified JavaScript code in the page received as response.
The web crawling module is able to subscribe users to services by covertly executing JavaScript code on web pages with WAP billing, alongside performing web page crawling. When the operators send text messages asking for confirmation, the SMS module is employed to reply with the required text. Alongside the ad module, it was observed attempting to open 28,000 unique URLs on a single device during a 24-hour experiment.
Additionally, Trojan.AndroidOS.Loap packs a proxy module which lets hackers send HTTP requests from the victims’ devices via an HTTP proxy server. This feature allows the malware creators to organize DDoS attacks against specified resources or to change the Internet connection type on a device.
There is another module which uses the Android version of minerd to mine for the Monero (XMR) cryptocurrency.
Based on the fact that both threats use the same C&C server IP address, the same obfuscation, and feature similar ways of detecting superuser on the device, the Kaspersky experts suggest that the Loapi trojan might be related to the Podec malware (Trojan.AndroidOS.Podec).
“Loapi is an interesting representative from the world of malicious Android apps. Its creators have implemented almost the entire spectrum of techniques for attacking devices […]. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time,” the Kaspersky team states.
