The Loapi Mining Trojan

Finjan TeamBlog, Cybersecurity

Finjan The Loapi Mining Trojan

Though its reputation has taken a battering in recent months over allegations of involvement in long-term spying or extreme surveillance operations conducted against agencies of the U.S. government, the Russia-based security firm Kaspersky Lab has recently made the news for more positive reasons.

Researchers at Kaspersky have discovered a Trojan named Loapi – a resourceful and potentially deadly piece of Android malware that ships via several media and has several adverse effects, including the mining of cryptocurrencies.

What is Loapi?

Discovered by a team of Kaspersky Lab researchers including Nikita Buchka, Anton Kivva, and Dmitry Galov, the malware dubbed as Loapi is an Android Trojan with a complex modular architecture that potentially allows it to perform almost limitless activities on a compromised device. It’s believed that Loapi may have links to the previously known Trojan.AndroidOS.Podec, as the two strains collect similar sorts of data for their Command and Control centers once initiated, and share similar methods of concealment.

Unlike single-function malware strains such as banking Trojans or adware generators, Loapi’s modular architecture enables it to function in multiple modes, with the potential for its authors to extend its range of activities through additional code.

How Loapi Works

At present, the Loapi mining Trojan is being distributed via ad campaigns pushing bogus anti-virus solutions or “adult” apps (okay, porn) on the Android platform. Trojan.AndroidOS.Loapi is concealed within apps distributed through third-party app stores, browser ads, and SMS-based spam. The Trojan may make its way onto a victim’s device through an infected app, or when the target clicks on a malicious banner advertisement.

Once installed, Loapi seeks to gain administrative rights over the victim’s device by bombarding the user with notifications requesting these privileges until they’re worn down by frustration or simply make a mistake and click to give consent.

Having gained administrative privileges, Loapi can then go on to exploit the infected Android device in a number of different ways. It can also initiate communications with its Command and Control servers, to authorize the installation of additional modules.

To defend itself and cover its tracks, the Loapi mining Trojan can block a device’s screen and close the application window, if the owner of an infected device attempts to revoke its administrative rights. Loapi’s Command and Control centers can also supply instances of the Trojan with the names and specifications of apps on an infected device (such as anti-malware software) which are capable of countering its effects or forcibly removing the malware.

Once an installed or running application on the victim’s device matches this profile, Loapi will bombard the user with bogus notifications from that app, informing them that malicious software has been discovered, and they should click to remove the application. This of course is all part of the malware programming, and can trick the user into giving Loapi the go-ahead to cause further mischief.

The Effects of Loapi

The Loapi architecture currently includes the following modules:

  • An adware module, which is used initially to bombard the owner of an infected device with requests for administrative privileges, then subsequently as a vehicle for displaying continuous streams of advertising.
  • An SMS module, which can send surreptitious text messages subscribing the victim to premium rate services that they remain unaware of (until they have to pay for them), and other under the radar communications.
  • A Web crawler module, which works in conjunction with the SMS module to subscribe victims of the malware to paid services without their knowledge.
  • A proxy module, which enables the attackers behind the malware to execute HTTP requests on behalf of an infected device. This may be a staging post in the building of a “zombie army” of infected devices, used in launching Distributed Denial of Service (DDoS) attacks.
  • A Monero miner module, which is used in mining the cryptocurrency Monero (XMR). It’s a flaw in the design of this module that makes the Loapi Trojan potentially fatal to infected Android devices.

What is Cryptocurrency Mining?

Cryptocurrencies such as Bitcoin are digital entities that exist in an encrypted state online. They are generated through complex mathematical processes performed by computers round the globe in a process known as cryptocurrency mining. In theory, anyone with a functioning computer can mine cryptocurrency, and miners around the world compete against each other to solve mathematical problems for the opportunity to earn digital coins or tokens.

The mathematics involved is intense, and typically requires a considerable investment in hardware and maintenance plus a lot of processing power, to make the process economically viable. But given the nature of the cryptocurrency market (especially developments like the recent skyrocketing in value of Bitcoin), there’s the potential for big money to be made – which probably explains why the authors of the Loapi Trojan included a cryptocurrency mining module in their payload.

The cryptocurrency they’ve chosen is Monero, which is a fairly lightweight variant that doesn’t typically make excessive demands on a miner’s computer system. Nevertheless, the Monero mining process can put considerable strain on a lightweight system such as a mobile phone.

A sample of the Loapi Trojan analyzed on an infected device by the Kasperky Labs team over the course of a few days placed so much of a processor load on the phone that (in their words), “the battery bulged and deformed the phone cover.” This has graduated Loapi from extreme nuisance to device killer.

How to Protect Yourself

Only apps from approved stores should be downloaded and installed on your mobile devices. To guard against the possibility of malicious third-party software, you can use the Settings menu of your device to disable the ability to install applications from third-party sources (i.e., not from official app stores).

To keep it patched against the latest known vulnerabilities, you should also ensure that the operating system on your device is regularly updated.

Finally, as a safeguard against malicious software and cyber-attacks, you should install a security solution (anti-malware, anti-spam, anti-phishing, etc.) which comes from a reputable manufacturer.

Share this Post

Finjan The Loapi Mining Trojan
Article Name
The Loapi Trojan - What is it and How it Effects Cryptocurrencies?
Researchers at Kaspersky have discovered a Trojan named Loapi - a resourceful and potentially deadly piece of Android malware that ships via several media and has several adverse effects, including the mining of cryptocurrencies.
Publisher Name
Publisher Logo