‘Loapi’ mobile malware is five attacks rolled into one: Kaspersky

New Android malware discovered by Kaspersky Lab is capable of an unusually broad array of five different attacks and, due to a design flaw in the coding, may inadvertently physically destroy a phone a few days after being installed. 

“We’ve never seen such a ‘jack of all trades’ before,” wrote the company in Monday’s official write-up of the threat, which it calls “Loapi.”

The malware is installed via malicious apps available for download outside the official Google app store. Victims are directed to the apps — more than 20 of them — through advertisements.

Loapi is capable of running an advertising click fraud scheme, which makes it appear as if a victim is visiting advertisers’ websites. Advertisers pay a small rate every time an ad is clicked. Loapi also contains a cryptocurrency mining module and the ability to run web requests at the attacker’s command, including signing a phone up for various subscription services. 

The malware is capable of using a phone to attack a second user in two ways. First, Loapi is capable of sending SMS messages. Second, vast groups of phones infected with Loapi can be directed to simultaneously flood a server with traffic so extreme the server collapses. 

Loapi is not designed to be subtle. According to Kaspersky, the advertising and subscription sign-up features made 28,000 different requests over a 24-hour period. Meanwhile, cryptocurrency mining is a processor-intensive feature. Loapi drained system resources so quickly that the battery of the test phone Kaspersky used overheated, causing it to expand and burst out of the phone case.