Hie guys....

welcome to penetration testing channel.....

Jack of all trades:Android miner malware destroys smartphones....

Nowadays, it’s all too easy to end up with malicious apps on your smartphone, even if you’re using the official Google Play app store.

The situation gets even worse when you go somewhere other than the official store – fake applications, limited security checks, and so on.

However, the spread of malware targeting Android OS is not limited to unofficial stores – advertising, SMS-spam campaigns and other techniques are also used.

Among this array of threats we found a rather interesting sample – Trojan.AndroidOS.Loapi.

This Trojan boasts a complicated modular architecture that means it can conduct a variety of malicious activities: mine cryptocurrencies, annoy users with constant ads, launch DDoS attacks from the affected device and much more.

We’ve never seen such a ‘jack of all trades’ before.

Distribution and infection:
Samples of the Loapi family are distributed via advertising campaigns.

Malicious files are downloaded after the user is redirected to the attackers’ malicious web resource.

We found more than 20 such resources, whose domains refer to popular antivirus solutions and even a famous porn site.

As we can see from the image below, Loapi mainly hides behind the mask of antivirus solutions or adult content apps.

After the installation process is finished, the application tries to obtain device administrator permissions, asking for them in a loop until the user agrees.

Trojan.AndroidOS.Loapi also checks if the device is rooted, but never subsequently uses root privileges – no doubt they will be used in some new module in the future.


Self-protection:

Loapi aggressively fights any attempts to revoke device manager permissions.

If the user tries to take away these permissions, the malicious app locks the screen and closes the window with device manager settings, executing the following code.

As well as this fairly standard technique to prevent removal, we also found an interesting feature in the self-protection mechanism.

The Trojan is capable of receiving from its C&C; server a list of apps that pose a danger.

This list is used to monitor the installation and launch of those dangerous apps.

If one of the apps is installed or launched, then the Trojan shows a fake message claiming it has detected some malware and, of course, prompts the user to delete it.

Let’s take a look at the Trojan’s architecture in more detail:

At the initial stage, the malicious app loads a file from the “assets” folder, decodes it using Base64 and afterwards decrypts it using XOR operations and the app signature hash as a key.

A DEX file with payload, which was retrieved after these operations, is loaded with ClassLoader.


Conclusion:

Loapi is an interesting representative from the world of malicious Android apps.

It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device.

The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time.

Facebook Page: https://www.facebook.com/kaliforensics

Pinterest: https://www.pinterest.com/penetration...

Instagram: https://www.instagram.com/penetration...

Google+: https://plus.google.com/b/10053333383...

Thanks For Watching....

Like Share & Subscribe.....