Loapi Android trojan hosts an array of threats.
Loapi Android trojan hosts an array of threats.

An Android trojan that has been described as a jack of all trades due to its complicated modular architecture which allows it to conduct a variety of malicious activities.

Trojan.AndroidOS.Loapi, or just Loapi, is being distributed via advertising campaigns disguised as antivirus solutions and adult content apps, according to a Dec. 18 Kaspersky Labs blog post. Loapi was found on more than 20 resources whose domains refer to popular antivirus solutions and even a famous porn site.

Researchers have seen 46,266 infections in 86 countries, including Mexico, the United States, Italy, France and Germany although the majority of infections were spotted in India, the Russian Federation and South Africa.

The trojan's "features" modules, which allow the malware to conduct a variety of malicious activities such as mine cryptocurrencies, annoy users with constant ads, launch DDoS attacks from the affected device, manipulate a user's text messages, subscribe users to various services and send HTTP requests from the victim's device.

Once installed, the application tries to obtain device administrator permissions by asking for them in a loop until the user agrees. The malware also checks if the device is rooted, but never subsequently uses root privileges. Researchers said there is no doubt the feature will be used in a new module in the future.

After admin privileges are acquired, the malicious app then either hides its icon in the menu or simulates various antivirus activity depending on the application the app is mimicking. Loapi also fights tooth and nail to ensure it maintains its admin privileges.

If a user attempts to revoke the permissions, the app will lock the phone's screen, close the device manager settings window, and execute code to prevent the application from being removed.

The trojan also detects apps that pose a threat to itself, such as legitimate security apps, and repeatedly prompts the user to delete the app until the user finally agrees and deletes the application.

Loapi is built on a layered architecture with the first stage consisting of a dropper to deliver malware apk, a second stage controller payload DEX, and third stage modules which include ad, proxy, crawler, sms, and miner modules.

“It has a well-thought out modular architecture,” Kaspersky Lab malware analyst Nikita Buchka told SC Media, adding, “The malware authors have the ability to turn their Trojan into something new in very little time by just adding or removing new modules.”

The app is the descendant of the Podec trojan from 2015 making the app an anomaly as such continuity through generations is rare for Android malware. Fortunately multi-modular trojans like this won't become common among Android malware. 

While the trojans provide an easier way for cybercriminals to gain information from users as they can target victims with different types of malware, it is no easy task to create and maintain such modular trojans, Buchka said.