Beware: New Loapi Android Trojan Can Physically Break Your Device
Malicious software programs classified as trojans often have the ability to carry out multiple tasks that wreak havoc on the victim's device. In most cases, however, the trojans are focused on one thing (e.g., stealing information, launching DDoS attacks, etc.). Not the newly-discovered Loapi Trojan, though.
Table of Contents
Although it has ties to older malware, Loapi is a new threat, and it could spell a lot of trouble
Loapi is a new Android trojan discovered and examined by Kaspersky researchers, and it comes with multiple modules that can affect the victim's device in different ways. By the looks of things, it's not afraid to use them all at once.
The Bad News
After closer examination, Kaspersky's experts found certain characteristics of the code and Command & Control (C&C) infrastructure which led them to believe that Loapi's authors have previously operated another Android trojan dubbed Podec. Back in 2015, when the same researcher team examined Podec, they said that it's "remarkable." That should speak a lot about Loapi.
Loapi relies on a three-stage infection. During the first one, the trojan decodes, de-obfuscates and runs its payload. During the second stage, Loapi pings its main C&C server to report the successful installation and takes a few steps to ensure maximum damage.
It first sends a JSON file with some information about the infected device to the primary C&C server, and the C&C responds with a list of modules Loapi will download along with additional servers it will communicate with. Before the modules are downloaded, however, Loapi establishes persistence, and it also sets up several protection mechanisms that ensure it can't be easily removed.
Loapi first asks for device administrator permissions. It needs them in order to carry out the rest of the malicious activities, and the prompts come up in a loop, which means that even if you refuse to turn the trojan into a device administrator, it won't stop asking you until you give in. This is all pretty standard for Android malware on the whole. The rest of the protection mechanisms, however, aren't.
Catching a break from Loapi
Trying to revoke the permissions is pretty difficult. If you attempt to do that, Loapi will lock the screen and close the Settings window. The trojan also receives a list of legitimate AV apps from the C&C server, and if it finds them installed on the device, it will try to fool the victim into deleting them by claiming that they're full of malware (which, of course, isn't true).
With persistence achieved, Loapi is cleared to download its individual modules and start the real criminal operation. A total of five separate modules are downloaded and run.