Articles

​This crypto-mining Android malware is so demanding it burst a smartphone

Most Android malware is at best annoying, but rarely does it cause physical damage to a phone.

Not so with Loapi, a newly-discovered trojan with a cryptocurrency miner that worked a phone so hard its battery swelled up and burst open the device’s back cover.

Kaspersky Lab researchers found the malware lurking in about 20 bogus apps. The researchers decided to infect an Android phone with the malware, which wrecked the phone within 48 hours.

Cryptocurrency miners are known to cause wear and tear on hardware by using a CPU to solve a cryptographic challenge. This generates a hash that earns the miner a cryptocurrency reward, which in this case goes to Loapi’s makers, rather than the device’s rightful owner.

Loapi uses Android phones to mine the bitcoin-alternative Monero. It’s not the first Android malware to attempt this, but it’s unusual for a miner to cause this much damage in such a short time.

Besides mining, Loapi has several other capabilities that earn its makers money at the expense of a victim’s phone and bandwidth.

Kaspersky researchers say they’ve never seen such a “jack of all trades” piece of Android malware before. Loapi also bombards victims with endless ads, can use the device to launch a distributed denial-of-service attack, can send SMS messages to any number, and subscribe to paid-for services on behalf of the victim.

“Because of the constant load caused by the mining module and generated traffic, the battery bulged and deformed the phone cover,” Kaspersky said.

The malware has a self-defense feature that enables it to reach a command-and-control server for a list of apps that that could detect it, such as legitimate antivirus apps. If a targeted security app is launched, the malware displays a “malware detected” alert and asks if the user wants to uninstall it. In fact, the victim has little choice but to agree to uninstall the app as the message is shown in a loop that won’t disappear until give in.

Loapi has several modules that work together to earn its creators money. The web crawling module works with the advertising module to open URLs and display ads. Kaspersky’s test found it opened a massive 28,000 URLs in 24 hours. This was the other major source of damage to the battery.

The web crawling module also contains hidden JavaScript that can subscriber victims to paid services on sites with WAP billing. If a site uses SMS to confirm a subscription, the SMS module can send a reply confirming it.

Android apps with hidden coin miners have been showing up with greater frequency, including in apps distributed on Google Play.