A new type of malware known as Loapi has been discovered on Android smartphones. It can mine cryptocurrencies, push constant adverts on users and launch distributed denial of service (DDoS) attacks from the affected device.
Kaspersky Lab, who first discovered the malware, said it had “seen such a ‘jack of all trades’ before”.
However, potentially the biggest differentiator in the Loapi malware is the fact it can cause physical damage to smartphones. Kaspersky Lab found that because of the constant activity caused by the mining module and generated traffic, the battery bulged and deformed the phone cover in its test device.
The researchers said that samples of the Loapi family are being distributed through advertising campaigns. The malicious files are downloaded after the user is redirected to the attackers’ malicious web resource. The malware hides within antivirus solutions that the user thinks are genuine, as well as adult websites.
After it is installed, Loapi demands administrator rights from the user, with researchers saying “it doesn’t take no for an answer; notification after notification appears on the screen until the desperate user finally gives in and taps OK”.
If the smartphone owner later tries to deprive the app of administrator rights, the Trojan locks the screen and closes the settings window. If the user then attempts to download apps that protect the device, such as a genuine antivirus, Loapi flags them as malware and requests their removal. Another notification demanding that it is removed pops up endlessly, until the user gives in.
Loapi can also sign users up to subscription services in secret, as well as download new modules. According to the researchers, that means it can adapt to any new cash-out strategy its creators develop. For example, one day it might transform into ransomware, spyware or a banking Trojan.