Your Android phone might melt because of Loapi malware


The amount of malware awaiting for you on the Internet is truly staggering. And con artists behind it are always searching for ways to make some extra money. Thus, new versions of existing threats are released all the time and there’re also new viruses constantly in development. The one that’s making the rounds now was discovered by Kaspersky Lab and it’s called Loapi. It has a wide range of functions, to say the least – cryptocurrency mining, DDoS attacks and so much more that even Android phones eventually break down once they get infected by this malware.

What happens here is that the battery of your device bulges. From that moment on, it takes literally two days to put it completely out of commission. The modular architecture of Loapi is so sophisticated that Kaspersky Lab researchers named it a “jack of all trades.” They also add that it’s unlike any other threat they have seen before, which shows that cybercriminals don’t just rely on old technologies to make money – they employ new techniques that allow them to evolve their creations and make them even more dangerous. Loapi possesses a module for Monero mining, a texting module, a proxy module, an advertisement module, and also a web crawling module. Adding to that, it doesn’t go down without a fight – it’s very aggressive and its protection system is designed in such a way that removing it is a difficult task.

We should also point out that this threat can subscribe you to various services without you being aware about it, perform various actions on your behalf, and also send SMS messages to any number, making it seem like they were sent by you and potentially infecting even more devices. The virus isn’t currently capable of espionage, but its modular architecture is so advanced that it may possibly be added in the future. There’re some signs pointing to Loapi being created by the same people who were behind the 2015 Android malware Podec and it’s distributed on third-party app stores. It’s usually presented as popular antivirus solutions and even a famous porn site. As soon as all of the files required to execute this malware are put on your device, Pop-Ups are used by it to obtain administrator permissions. As soon as they are, the application icon either disappears or pretends to perform the promised functionalities, like scanning the OS for viruses.

One of the Loapi modules is meant for spamming advertisements. Its functionality lies in randomly opening different URLs, which include Facebook or Instagram pages, and also showing banners or video ads. As far as the proxy module goes, it helps launching DDoS attacks. The mining module turns your Android device into a mining machine for Monero and takes up all of its resources to do it. Another module manipulates text messages by using them to communicate with the attackers’ Command and Control (C&C) server. Loapi also covers its traces by deleting the messages from Inbox and Sent folders to prevent you from knowing the information received from the C&C server.

Another module is related to a web crawler. It subscribes you to various services using JavaScript and this can be done even if the subscription requires you to enter a code from a text message to confirm it. Kaspersky noted that, “this module, together with the advertisement module, tried to open about 28,000 unique URLs on one device during our 24-hour experiment.”

We’ve mentioned this threat being very aggressive in protecting itself from being removed and would like to speak a bit more about that. It tries to prevent you from taking the administrator permissions away from it and even goes as far as receive a list of apps from the C&C server that endanger the malware. Should you install one of the apps from that list, you get provided with a message that tries to make you think you’ve just installed malware in your device. You’re then asked to delete it and this doesn’t just happen once – you’re told about it again, and again, and again, until the application that Loapi finds dangerous for itself is deleted. The message is shown in a loop, so rejecting it is basically useless – you can’t do anything else until you agree.

But getting rid of this malware is still possible. To do so, you need to switch to a safe mode, as settings of your device get blocked by Loapi otherwise. This is also done to prevent you from taking administrator permissions away from it, so yes, this threat is extremely aggressive and we don’t exaggerate when we say this. Kaspersky has also provided an Android phone they used to analyze the virus. After two days of testing, it was completely trashed. Quoting the company, “because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover.”

To avoid having your device compromised, we advise you to switch off the “Unknown sources” in Security–>Settings and also put an antivirus on it. Make sure to keep it updated and running all the time, as you never know when a new threat might try to attack. It’s better to be prepared then deal with problems that might have been avoided. Also limit your visits to dubious sources and avoid clicking on ads that can be found on them, even if they appear legitimate. Advertisements that are supposedly for AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web, and CM Security might turn out to actually be employed by Loapi to trick you into putting it on your device.

That’s why you should avoid unnecessary risks while surfing the Internet. And being protected from malware doesn’t require a lot from your side. Let’s round it up again – limit your visits to fishy sites, don’t install new applications from them, refrain from clicking on advertisements, and have your security software always on and updated. Adhering to these guidelines significantly reduces the possibility of your device being compromised and con artists behind Loapi won’t be able to use it for their personal enrichment.


Please enter your comment!
Please enter your name here