Researchers at cyber security company Kaspersky Lab have discovered a new Android mobile Trojan called Loapi.
It uses a modular architecture, allowing functions to be added to the software so it can be used for anything from crypto currency mining to DDos attacks. Crucially though Loapi can create such a heavy workload on an infected device that the battery overheats and destroys the phone.
The Trojan is being spread through advertising campaigns under the guise of antivirus solutions or adult apps. Once installed, applications request device admin rights and then discreetly initiate communications with command and control servers to install additional modules.
Modules seen up to now include adware, SMS, a web-crawler that signs up users to paid services without their knowledge, a proxy module that allows attackers to execute HTTP requests on behalf of the device, and a Monero crypto currency miner.
Loapi also has some sophisticated defensive capabilities. As soon as a user tries to revoke device admin rights, the malware blocks the device's screen, and closes the window. In addition to this, Loapi can obtain a list of applications that are dangerous to it from the command and control servers -- these are often security solutions, intended to remove the malware. If an installed or running application on the list is found on the device, the Trojan shows users a fake message saying malicious software has been found, and offers the chance to remove the application. The message is shown in a loop, so even if the user refuses to delete the app at first, the message will be displayed over and over again until the user finally agrees.
"Loapi is an interesting representative of the world of Android malware because its authors have embodied almost every feature possible into its design," says Nikita Buchka, security expert at Kaspersky Lab. "The reason behind that is simple -- it is much easier to compromise a device once and then to use it for different kinds of malicious activity aimed at earning illegal money. The surprisingly unexpected risk which this malware brings is that even though it can’t cause direct financial damage to the user by stealing their credit card data, it can simply destroy the phone. This is not something you would expect from an Android Trojan, even a sophisticated one."
To protect yourself, Kaspersky recommends disabling the ability to install applications from sources other than official app stores, keeping the device OS up to date, and installing a good security solution.
You can find out more on the Kaspersky SecureList blog.