Android malware continues to find its way onto unsuspecting users’ devices, case in point two families identified by mobile security researchers on Monday.
One strain, Loapi, can carry out a cornucopia of activities, like cryptocurrency mining, the launching of DDoS attacks, and the ability to barrage users with aggressive ads.
A trio of researchers with Kaspersky Lab, Nikita Buchka, Anton Kivva, and Dmitry Galov, outlined Loapi, a Trojan that's been distributed via advertising campaigns, on Monday.
Once installed the app asks for administrator permissions. It doesn't take 'no' for an answer; the malware repeatedly asks users in a loop until the user agrees. Once the user obliges, Loapi gets to work. The malware contains a module which displays video ads and banners, a module that can mine the Monero cryptocurrency, and a module that allows attackers to send HTTP requests from the victim's device. Researchers suggest the latter can be used to organize DDoS attacks against specified resources.
Researchers hint the strain may have evolved from Podec, a family first spotted in 2015.
Podec, when first spotted, was an SMS Trojan known for its ability to bypass CAPTCHA. The malware came disguised as popular mobile games, like Minecraft, that once downloaded, requested administrator privileges. Podec could subscribe phone numbers to paid content and delete call records. Like Loapi, Podec could also recruit a victim's device to join a botnet and launch DDoS attacks.
Loapi hasn’t lost Podec’s ability to send SMS messages on behalf of attackers; Kaspersky researchers claim a module in the latest iteration of the malware can send SMS messages to any number, or subscribe users to paid services. The fact that the malware is capable of so many activities prompted the researchers to call it a “jack of all trades” Monday.
Researchers with Trend Micro also outlined a new Android mobile malware family on Monday dubbed GnatSpy. Ecular Xu, a threat response engineer with the firm, posits the strain is a variant of VAMP, a data-stealing malware family identified by Palo Alto researchers this past April. Xu couldn't confirm how GnatSpy was being distributed; he suggests that attackers may be sending malicious files containing the malware directly to users and – as they're named to sound seemingly legitimate, “Android Setting” or “Facebook Update” – tricking them into installing them.
The malware primarily siphons up information about infected devices, battery type, memory and storage usage, SIM card status, and so on.
Perhaps the one silver lining here is the fact that neither of these families, currently at least, are being spread through legitimate channels like Google's Play marketplace. Loapi samples Kaspersky Lab researchers obtained were distributed via advertising campaigns; Trend Micro declined to say how it came across its GnatSpy samples. That shouldn’t deter Android users from exercising caution when it comes to installing apps on Google Play. As we saw earlier this year, malware like BankBot, a mobile banking Trojan, can still evade protections put in place by Google Play to infect users.
