Android trojan has miner so aggressive it can bork your battery

Loapi found in smut apps, fake virus scanners

Kaspersky researchers have turned up a strain of malware lurking in adult content and fake virus scanners, and it can run a victim's Android mobe so hard they might suffer physical damage.

The Android trojan, dubbed “Loapi”, has a modular architecture that lets it be adapted to run cryptocurrency mining, take part in DDoS networks, or bombard suffering users with constant advertisements.

The sample analysed by Kaspersky's Nikita Buchka, Anton Kivva, and Dmitry Galov, when running a few days to mine the Minero cryptocurrency, worked their test device so hard that “the battery bulged and deformed the phone cover.”

Loapi communicates with the following module-specific command and control servers:

  • ronesio.xyz (advertisement module);
  • api-profit.com:5210 (SMS module and mining module);
  • mnfioew.info (web crawler); and
  • mp-app.info (proxy module)

The Web crawler module, Kaspersky said, “is used for hidden Javascript code execution on web pages with WAP billing in order to subscribe the user to various services”, and works in conjunction with the SMS module to send the subscription message.

Working with the ad module, the Web crawler “tried to open about 28,000 unique URLs on one device during our 24-hour experiment.”

Adups gets a redux

The folk over at Malwarebytes have had their own find-of-the-week: the China-based company which a year ago shipped data-harvesting firmware, Shanghai Adups Technology, is shipping an auto-installer dubbed “Android/PUP.Riskware.Autoins.Fota.”

When the noise about Adups died down, Nathan Collier wrote, there was a component Malwarebytes overlooked: “It comes with the package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears in the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk.”

Like Adups' previous work, the installer gets admin privileges because it's pre-installed on the device; and while on its own it isn't malicious, it could be used to pull other dangerous software.

Malwarebytes provides instructions on disabling the installer, using the Debloater tool. ®




Biting the hand that feeds IT © 1998–2018