New Android Malware Could Melt Your Phone
A new Android Trojan does half-a-dozen malicious things, including mine cryptocurrency so intensely that devices may be physically damaged.
A nasty new Android Trojan has begun appearing in off-road app markets, according to Kaspersky researchers, who say the malware has so many different capabilities that it's a "jack-of-all-trades."
The malware, dubbed "Loapi," can display ads, redirect web traffic, launch DDoS attacks, send text messages, download and install other apps and "mine" the Monero cryptocurrency. It does the last function so intensely, the Kaspersky researchers said in a post about the threat, that the battery of one of their test phones overheated and expanded, partly popping off the battery cover.
The criminals behind Loapi are spreading it through online ads that purport to be for Android antivirus apps and porn apps. If you click on one of the ads, it'll take you to a website where you can download the bogus app.
To avoid infection, make sure "Unknown sources" is toggled off (it's the default) in Security-->Settings, and install a real Android antivirus app from the Google Play store.
MORE: Best Android Antivirus Apps
From what we could glean from the icons displayed in a screenshot in the Kaspersky blog posting, the ads for Loapi impersonate legitimate Android antivirus apps from AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web and CM Security, among others. There were also a dozen icons, some blurred out, from porn sites, but Tom's Guide doesn't review those.
If you install one of the bogus AV or porn apps, the app will immediately ask for device administrator permissions, which would give it the same power over the device that you have. (Some antivirus apps really do require these permissions.)
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
Needless to say, if you grant the bogus app device manager privileges, you're hosed. The app will now be able to do pretty much anything. If you try to revoke device-manager privileges, the bogus app will lock up the screen and even download real malicious apps just to "prove" that you really need the antivirus software.
"Loapi is an interesting representative from the world of malicious Android apps," the Kaspersky researchers said. "Its creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device.
"The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time."
The Kaspersky team didn't specify on what kind of test phone they'd installed Loapi, but they said that the heat generated by the mining and ad-injection processes inflated the battery and partly dislodged the phone's back cover after two days. We can imagine that leaving an old, slow phone infected for longer might lead to combustible results.
Best Android Antivirus Software
Best Paid Option
You'll have to pay $15 per year for Bitdefender Mobile Security, but its excellent malware protection and intuitive user interface make it well worth paying for.
Best Freemium Option
Norton Mobile Security may seem pricey, but its excellent protection, multidevice license and unique privacy features make it a worthwhile investment.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.