From digging cryptocurrencies to DDoS attacks - the new Loapi mobile Trojan

Researchers from Kaspersky Lab have identified a new, unusual malicious program for Android - Loapi. The Trojan has an advanced modular structure, which allows cybercriminals to almost infinitely add new functions - from digging cryptocurrencies to carrying out DDoS attacks. In some cases, most likely as a result of cybercriminals' error, the malware generates such a heavy load on the infected smartphone that it may be physically damaged due to battery deformation.

Loapi spreads through fake advertising campaigns in which the malware pretends to be an antivirus program or an adult application. Once installed, the Trojan asks for administrator-level privileges, and when they are granted, the malware silently initiates communication with the cybercriminal server to download further malicious modules.

At present, the Trojan's architecture includes, but is not limited to, the following modules:

  • Adware module - used for aggressive display of advertisements on the user's device.
  • SMS module - used by a malicious program to perform various operations with text messages. It hides messages from the user, responds to them if the need arises, and removes all traces of adding new subscriptions.
  • Premium paid subscription module - used to surreptitiously subscribe to paid services without user's knowledge.
  • Proxy server - allows attackers to send HTTP requests using the infected device's internet connection. This module can be used, for example, to carry out DDoS attacks.
  • Excavator of Monero cryptocurrencies - used to dig Monero cryptocurrency (XMR) on an infected device without user's knowledge.

In addition to the extensive set of functions, Loapi has features that allow him to actively protect himself from deletion. When a user attempts to roll back privileges at the administrator level, the malware blocks the device screen and closes the window. In addition, Loapi downloads from the cybercriminal servers a list of applications that may be dangerous to it, such as security solutions. After finding the application from this list in the system, the Trojan displays a fake message informing about the detection of a malicious program and offers the user the option to delete it. The message is looped, which means that even if the user refuses to remove the application, the message will continue to appear.

Researchers from Kaspersky Lab made one more interesting discovery: when running tests on a randomly selected Android smartphone, Loapi generated such a heavy load that a rapid increase in temperature caused deformation of the battery . It is unlikely that the Trojan's creators consciously used such a function, because they care primarily for making as much money as possible, and for this the malware must work in the infected device for as long as possible. However, errors in the optimization of malicious code led to the creation of this unexpected, physical "attack vector" that can lead to serious damage and even destruction of the infected device.

Researchers from Kaspersky Lab have determined that Loapi can be associated with another Trojan for Android - Podec. Right after the infection, both malicious programs collect similar information from cybercriminal servers, and they also use similar methods of concealing their presence in the system.

Technical details about the Loapi Trojan can be found at

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.