A nasty new Android Trojan has begun appearing in off-road app markets, according to Kaspersky researchers, who say the malware has so many different capabilities that it's a "jack-of-all-trades."
The malware, dubbed "Loapi," can display ads, redirect web traffic, launch DDoS attacks, send text messages, download and install other apps and "mine" the Monero cryptocurrency. It does the last function so intensely, the Kaspersky researchers said in a post about the threat, that the battery of one of their test phones overheated and expanded, partly popping off the battery cover.
The criminals behind Loapi are spreading it through online ads that purport to be for Android antivirus apps and porn apps. If you click on one of the ads, it'll take you to a website where you can download the bogus app.
To avoid infection, make sure "Unknown sources" is toggled off (it's the default) in Security-->Settings, and install a real Android antivirus app from the Google Play store.
From what we could glean from the icons displayed in a screenshot in the Kaspersky blog posting, the ads for Loapi impersonate legitimate Android antivirus apps from AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web and CM Security, among others. There were also a dozen icons, some blurred out, from porn sites, but Tom's Guide doesn't review those.
If you install one of the bogus AV or porn apps, the app will immediately ask for device administrator permissions, which would give it the same power over the device that you have. (Some antivirus apps really do require these permissions.)
Needless to say, if you grant the bogus app device manager privileges, you're hosed. The app will now be able to do pretty much anything. If you try to revoke device-manager privileges, the bogus app will lock up the screen and even download real malicious apps just to "prove" that you really need the antivirus software.
"Loapi is an interesting representative from the world of malicious Android apps," the Kaspersky researchers said. "Its creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device.
"The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time."
The Kaspersky team didn't specify on what kind of test phone they'd installed Loapi, but they said that the heat generated by the mining and ad-injection processes inflated the battery and partly dislodged the phone's back cover after two days. We can imagine that leaving an old, slow phone infected for longer might lead to combustible results.
Best Android Antivirus Software
Best Paid Option
You'll have to pay $15 per year for Bitdefender Mobile Security, but its excellent malware protection and intuitive user interface make it well worth paying for.
Best Freemium Option
Norton Mobile Security may seem pricey, but its excellent protection, multidevice license and unique privacy features make it a worthwhile investment.
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.