Level 30
Feb 4, 2016
Operating System
Windows 8.1
A malware strain known as Loapi will damage phones if users don't remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone's components, which will make the battery bulge, deform the phone's cover, or even worse.

Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.

Back then, crooks were using Podec to bypass Advice of Charge (AoC) and CAPTCHAs to subscribe victims to premium-rate SMS services.

The new Loapi malware is much more advanced compared to the simplistic Podec strain. Kaspersky experts call it a "jack of all trades," as Loapi has a highly advanced modular structure and components for all sorts of nasty operations. For example, the new Loapi malware includes modules for:

⇉ Mine Monero
⇉ Install a proxy to relay traffic
⇉ Inject ads in notification area
⇉ Show ads in other apps
⇉ Open URLs in browsers, also used to show ads
⇉ Download and install other apps
⇉ Launch DDoS attacks
⇉ Interact with the phone's SMS function
⇉ Crawl web pages (most like used to subscribe users to premium SMS services), and more.

Loapi hidden in security and adult-themed apps
Loapi is currently advertised on third-party app stores, masquerading as a mobile antivirus or adult-related app.

The malware uses the classic trick of pestering users with an endless stream of popups until the user does what the malware wants. This is how Loapi obtains device administrator rights and how Loapi forces users to uninstall real antivirus apps from their phones.

Loapi-infected apps will also close the Settings window whenever it detects that a user is trying to deactivate its administrator account. Users will have to boot their device in Safe Mode in order to remove Loapi. The procedure to boot into Safe Mode is different per smartphone model.
Loapi didn't reach the Play Store, but other malware has

While Loapi has not made it onto the official Google Play Store, security researchers from Kaspersky and ESET did discover other malware strains that did.

For example, Kaspersky discovered 85 apps that were infected with a trojan that would steal login credentials. Based on Play Store download statistics, more than one million users appear to have installed these apps.


Level 26
Content Creator
Jul 27, 2015
Quote : " As part of our dynamic malware analysis we installed the malicious application on a test device. The images below show what happened to it after two days: "

Source : Jack of all trades

Wakes questions like...was/is this possible to reproduce or concluded after just one phone? Feels like the physical damage must been a unknown/unwanted sideeffect from the crypto miner as it destroys and kill the device it depends on.

Thanks for the share @LASER_oneXM
Last edited:
Oct 14, 2016
Operating System
Windows 10
Nowadays, it’s all too easy to end up with malicious apps on your smartphone, even if you’re using the official Google Play app store. The situation gets even worse when you go somewhere other than the official store – fake applications, limited security checks, and so on. However, the spread of malware targeting Android OS is not limited to unofficial stores – advertising, SMS-spam campaigns and other techniques are also used. Among this array of threats we found a rather interesting sample – Trojan.AndroidOS.Loapi. This Trojan boasts a complicated modular architecture that means it can conduct a variety of malicious activities: mine cryptocurrencies, annoy users with constant ads, launch DDoS attacks from the affected device and much more. We’ve never seen such a ‘jack of all trades’ before.

Distribution and infection
Samples of the Loapi family are distributed via advertising campaigns. Malicious files are downloaded after the user is redirected to the attackers’ malicious web resource. We found more than 20 such resources, whose domains refer to popular antivirus solutions and even a famous porn site. As we can see from the image below, Loapi mainly hides behind the mask of antivirus solutions or adult content apps:

After the installation process is finished, the application tries to obtain device administrator permissions, asking for them in a loop until the user agrees. Trojan.AndroidOS.Loapi also checks if the device is rooted, but never subsequently uses root privileges – no doubt they will be used in some new module in the future.

After acquiring admin privileges, the malicious app either hides its icon in the menu or simulates various antivirus activity, depending on the type of application it masquerades as:

Loapi aggressively fights any attempts to revoke device manager permissions. If the user tries to take away these permissions, the malicious app locks the screen and closes the window with device manager settings, executing the following code:
Kaspersky LAB researchers have identified new, intriguing malware with multiple modules that have an almost endless number of malicious functions, from cryptomining to DDoS attacks ....
Last edited by a moderator: