A newly discovered piece of Android malware carries out a litany of malicious activities, including showing an almost unending series of ads, participating in distributed denial-of-service attacks, sending text messages to any number, and silently subscribing to paid services.
Its biggest offense: a surreptitious cryptocurrency miner that's so aggressive it can physically damage an infected phone.
Trojan.AndroidOS.Loapi is hidden inside apps distributed through third-party markets, browser ads, and SMS-based spam. Researchers from antivirus provider Kaspersky Lab have dubbed it a "jack of all trades" to emphasize the breadth of nefarious things it can do. Most notably, Loapi apps contain a module that mines Monero, a newer type of digital currency that's less resource intensive than Bitcoin and most other cryptocurrencies. The module allows the malware creators to generate new coins by leaching the electricity and hardware of infected phone owners.
But the lower demands of Monero mining by no means stop Loapi from straining infected phones. Kaspersky Lab researchers tested Loapi in a lab setting. After two days, the mining caused the battery in the phone to bulge so badly it deformed the cover. The researchers provided the pictures above as evidence.
Drive-by currency mining on the rise
Over the past few months, a surge of sites and apps have been caught draining people's CPUs and electricity as they run resource-intensive cryptocurrency mining code. In a handful of cases, the apps or sites disclose what's happening, throttle down the mining, and ask users to participate as a form of payment. In the vast majority of cases, however, the mining is only discovered when users open monitors that track all processes or apps running on a device.
On Tuesday, officials at AV provider Sophos formally labeled all cryptocurrency mining without user consent as parasitic.
Loapi is a nuisance in other ways that go beyond covert coin mining. It sends an unending barrage of prompts for users to assign it administrator permissions. Once granted permission, Loapi makes it hard for victims to install security apps that can help disinfect the phone. It can subscribe a phone to costly premium services and even covertly send codes in SMS messages to confirm the request. It allows attackers to use infected phones as foot soldiers in DDoS attacks. And it displays a constant stream of ads. There are no indications Loapi apps have ever been available through Google Play.
"We've never seen such a 'jack of all trades' before," Kaspersky Lab researchers wrote. Later in the post, they added: "The only thing missing is user espionage, but the modular architecture of this Trojan means it's possible to add this sort of functionality at any time."