Researchers at Kaspersky Lab have identified a family of modular Android malware dubbed "Loapi," which is capable of mining the Monero cryptocurrency, inundating users with advertisements, automatically subscribing the user to paid services, and participating in DDoS attacks, among other functions. The cryptocurrency mining module maintains a load sufficiently high enough to cause physical damage to a test device after two days—the above photo shows a device which overheated to the point the battery bulged.
According to the researchers, the malware is distributed through advertising campaigns, and is generally disguised as either an antivirus or pornographic app. After installation, the malware asks the user to grant administrator permissions in a loop until the permissions are granted. It also checks for—but does not use—root permissions. However, given the modular nature of the malware, this could be used in the future.
Loapi can communicate with a number of command & control servers. These servers can load additional modules and receive lists of apps which may attempt to remove or limit the permissions granted to the malware. If these apps are installed, the malware flags the legitimate security app as malware and forces a loop prompting the user to remove the security app until the user acquiesces. The malware also locks the screen and closes the device manager, warning the user that the phone data will be wiped.
Given the encumbrances to removing the app on the phone, the best course of action is likely to uninstall via adb. There is no indication that the malware has been distributed via Google Play. That said, installing mysterious apps from unknown sources is not advisable.
- Kaspersky Lab Securelist