A new strain of malware targeting Android phones is capable of performing a plethora of malicious activities, from mining cryptocurrencies to launching DDoS attacks — and so many more malicious functions in between those extremes that it can cause the battery to bulge and destroy the phone within two days.

This malware, dubbed Loapi, has such a complicated modular architecture that Kaspersky Lab researchers called it a “jack of all trades” and unlike any malware they had seen before. It has an advertisement module, a texting module, a web crawling module, a proxy module and a module for mining Monero. Loapi also aggressively fights to protect itself.

Kaspersky Lab researchers warned:

Loapi is an interesting representative from the world of malicious Android apps. Its creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time.

Loapi, which may have been created by the same cyber thugs responsible for the 2015 Android malware Podec, is distributed on third-party app stores. Researchers found that Loapi is usually disguised as apps for “popular antivirus solutions and even a famous porn site.”

After the malicious files are downloaded and installed, the app obtains device administrator permissions by using popups. Kaspersky showed an example of a supposed security app needing the user to activate administrator permissions. After acquiring admin privileges, the app either hides its icon or pretends to do what it is supposed to be doing, such as running an antivirus scan.

Loapi malware modules

One Loapi module is for spamming advertisements, opening various URLs, including pages in popular social networks such as Facebook or Instagram, as well as for displaying videos ads and banners.

The proxy module can be used to launch DDoS attacks, and the mining module forces the Android to mine for Monero.

Another module is focused on manipulating text messages, using SMS messages to communicate with the attackers’ Command and Control (C&C) server. It also deletes text messages from the inbox and sent folder to keep the user in the dark about the information received from the C&C server.

Yet another module is related to a web crawler, using hidden JavaScript to subscribe users to various services. If the subscription requires a text message confirmation, Loapi takes care of that, too. The researchers noted, “This module, together with the advertisement module, tried to open about 28,000 unique URLs on one device during our 24-hour experiment.”

Loapi's aggressive self-protection

When it comes to self-protection, Loapi “aggressively fights any attempts to revoke device manager permissions,” including receiving a list of apps from the C&C server that endanger the malware. If that app is installed or launched, then Loapi displays a fake message claiming to have detected malware and asks the victim to uninstall it.

The victim will be spammed with this popup until finally caving and selecting uninstall. The researchers wrote, “This message is shown in a loop, so even if the user rejects the offer, the message will be shown again and again until the user finally agrees and deletes the application.”

To actually get rid of Loapi, users will need to boot to safe mode. Otherwise, the malware will continually close Settings so users cannot deactivate admin privileges.

Loapi destroyed an Android in two days

The researchers showed the test Android used while analyzing the malware. It was completely trashed after two days of testing. They noted, “Because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover.”