Kaspersky researchers have turned up a strain of malware lurking in adult content and fake virus scanners, and it can run a victim’s Android mobe so hard they might suffer physical damage.
The Android trojan, dubbed “Loapi”, has a modular architecture that lets it be adapted to run cryptocurrency mining, take part in DDoS networks, or bombard suffering users with constant advertisements.
The sample analysed by Kaspersky’s Nikita Buchka, Anton Kivva, and Dmitry Galov, when running a few days to mine the Minero cryptocurrency, worked their test device so hard that “the battery bulged and deformed the phone cover.”
Loapi communicates with the following module-specific command and control servers:
- ronesio.xyz (advertisement module);
- api-profit.com:5210 (SMS module and mining module);
- mnfioew.info (web crawler); and
- mp-app.info (proxy module)
Working with the ad module, the Web crawler “tried to open about 28,000 unique URLs on one device during our 24-hour experiment.”
Adups gets a redux
The folk over at Malwarebytes have had their own find-of-the-week: the China-based company which a year ago shipped data-harvesting firmware, Shanghai Adups Technology, is shipping an auto-installer dubbed “Android/PUP.Riskware.Autoins.Fota.”
When the noise about Adups died down, Nathan Collier wrote, there was a component Malwarebytes overlooked: “It comes with the package names
com.fw.upgrade.sysoper, appears in the app list as
UpgradeSys, and has the filename
Like Adups’ previous work, the installer gets admin privileges because it’s pre-installed on the device; and while on its own it isn’t malicious, it could be used to pull other dangerous software.
Malwarebytes provides instructions on disabling the installer, using the Debloater tool. ®