Microsoft’s Windows receives a lot of heat due to it’s susceptibility to malware. This is in part because it is profitable to hijack a Windows device and inject it with advertising and spyware. The popularity of Android makes it a prime target for people who write malware.
The Loapi family marks an inflection point in Android malware with its modular nature and multi-pronged attack vectors. We have previously seen how malware goes undetected on the Play Store sometimes, despite the fact that Google is invested heavily in Android security.
Targeting devices
One of the two ways this malware latches on to your device is when you install and use an app store which is not having necessary security checks in place or promote cracked apps on them. Apart from that, scummy advertising, SMS-spam campaigns, and other techniques are also used to infect users. I’ve seen countless advertising campaigns for mature content on mainstream websites. This also puts into light how Google Chrome is going to block all non-compliant advertising starting 2018.
Post-installation
Here’s what the team at Kaspersky Labs found:
“After the installation process is finished, the application tries to obtain device administrator permissions, asking for them in a loop until the user agrees. Trojan.AndroidOS.Loapi also checks if the device is rooted, but never subsequently uses root privileges – no doubt they will be used in some new module in the future.”
Apart from what has already been said, I can safely predict that once this malware matures, it will use the root privilege to install itself as a system application. This means that it might even survive factory resets in the future. Root privileges also mean that it can rewrite core system functions to mine or fill up your device with advertising. The only way to get around this would be to re-flash an entire system image, which is not an easy task for your average Android user.
The bane of my existence is the shady anti-virus applications that exist on the Play Store. Ironically, this malware masquerades as an anti-virus application. The false sense of security that you get when a virus acts as an anti-virus is just amazing.
Self-protection
The Trojan is capable of receiving from its communication server a list of apps that pose a danger to it. This list is used to monitor the installation and launch of those dangerous apps. If one of the apps is installed or launched, then the Trojan shows a fake message claiming it has detected some malware and, of course, prompts the user to delete it:
If a user tries to turn off the device administrator privileges, it will lock the screen and close the settings app, effectively giving the user a view as if the settings app is “crashing” on trying to do a certain thing.
It also obfuscates its code using base64 encoding, and we only get to see these in action:
The Modules
The malware can:
- Spam your device with advertisements
- Subscribe you to premiums SMS/Network related messages causing your bill to spike
- Act as a web crawler, and it can activate WAP billing
- Act as a proxy for the attackers
- Use a built-in Monero cryptocurrency miner
These are not fun if you have to deal with them individually, and the evolution of malware always means that we are seeing only the tip of the iceberg when it comes to malicious code.
Source: Securelist
