{"id":20510,"date":"2017-12-18T10:35:09","date_gmt":"2017-12-18T15:35:09","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=20510"},"modified":"2019-11-15T06:42:55","modified_gmt":"2019-11-15T11:42:55","slug":"loapi-trojan","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/loapi-trojan\/20510\/","title":{"rendered":"Loapi \u2014 this Trojan is hot!"},"content":{"rendered":"

Virus writers are creating all sorts of unpleasantness for Android device owners. We all know about the theft of personal data that later turns up on the black market. And about money leaking out of credit cards. But what about a Trojan that can make your device literally go up in smoke? Well, it\u2019s here<\/a>.<\/p>\n

How does jack-of-all-trades Loapi operate<\/h2>\n

Users pick up the Loapi Trojan by clicking on an ad banner and downloading a fake AV or adult-content app (the most likely vehicles for this Trojan). After installation, Loapi demands administrator rights \u2014 and it doesn\u2019t take no for an answer; notification after notification appears on the screen until the desperate user finally gives in and taps OK.<\/p>\n

If the smartphone owner later tries to deprive the app of administrator rights, the Trojan locks the screen and closes the settings window. And if the user tries to download apps that genuinely protect the device (for example, a real AV, not a fake one), Loapi declares them to be malware and demands their removal. Another notification to that effect pops up endlessly, until the user throws in the towel.<\/p>\n

\"\"<\/a>

Icons of fake apps in which Loapi conceals itself<\/p><\/div>\n

Because of Loapi\u2019s modular structure, it can switch functions on the fly at a remote server\u2019s command, downloading and installing the necessary add-ons all by itself. Let\u2019s take a look at some consequences of an encounter with the new Trojan.<\/p>\n

1. Unwanted ads<\/h3>\n

Loapi relentlessly plagues the owner of the infected smartphone with banner and video ads. This module of the Trojan can also download and install other apps, visit links, and open pages in Facebook, Instagram, and VKontakte \u2014 apparently to drive up various ratings.<\/p>\n

2.\u00a0Paid subscriptions<\/h3>\n

Another module of the Trojan can sign up users to paid services. Such subscriptions usually need to be confirmed by SMS \u2014 but that doesn\u2019t stop Loapi either. It has yet another special module that sends a text message to the required number, and does so secretly. What\u2019s more, all messages (both outgoing and incoming) are immediately deleted.<\/p>\n

3.\u00a0DDoS attacks<\/h3>\n

The Trojan can turn your phone into a zombie and hijack it to use in DDoS attacks<\/a> against Web resources. To do so, it uses a built-in proxy server and sends HTTP requests from the infected device.<\/p>\n

4.\u00a0Cryptomining<\/h3>\n

Loapi also uses smartphones to mine Monero tokens. It is this activity that can overheat your device as a result of the prolonged operation of the processor at maximum load. During our research, the battery of the test smartphone overcooked 48 hours after the device was infected.\"\"<\/a><\/p>\n

5. Downloading new modules<\/h3>\n

Now for the most interesting bit. At the command of a remote center, the malware can download new modules \u2014 that is, adapt to any new cash-out strategy its creators develop. For example, one day it might transform into ransomware, spyware, or a banking Trojan. In the code of the current version, our experts discovered functions that have yet to be deployed and are clearly intended for use further down the line.<\/p>\n

How to protect yourself from the Loapi Trojan<\/h2>\n

As is often the case, prevention is better than cure. To avoid swallowing the malware bait, observe some simple rules.<\/p>\n