Scribd
Upload
1K views23 pages

Loapi Malware

This document discusses the Loapi malware, which is a modular Trojan that can conduct various malicious activities like cryptocurrency mining, displaying advertisements, and launching DDoS attacks. It uses layered encryption and a modular architecture to load modules from a C&C server and infect Android devices by obtaining administrator privileges.

Uploaded by

Francisc Moldovan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views23 pages

Loapi Malware

This document discusses the Loapi malware, which is a modular Trojan that can conduct various malicious activities like cryptocurrency mining, displaying advertisements, and launching DDoS attacks. It uses layered encryption and a modular architecture to load modules from a C&C server and infect Android devices by obtaining administrator privileges.

Uploaded by

Francisc Moldovan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

LOAPI MALWARE

AUTHOR: VLAD PUSCAS

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 1


Content

• What is Loapi?
• Distribution
• Infection
• Self-protection
• Modules
• Layered architecture
• Manifest analysis
• Conclusion and protection methods
TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 2
What is Loapi?

• Also known as “Jack of all trades”


• It’s a Trojan malware
• Uses a modular architecture in order to conduct various malicious
activities:
• Mine cryptocurrencies
• Annoy users with constant ads
• Launch DDoS attacks from infected devices
• Manipulate SMS messages
• Subscribe users to various paid subscriptions
• And perhaps even more…

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 3


Distribution

• Loapi is distributed via advertising campaigns.


• The malicious files are downloaded after the user is redirected to the
attackers’ malicious web resource.
• Loapi masks itself as antivirus apps or adult content apps.

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 4


Infection

• After the user installs the malware, the


application will try to obtain
administrator rights.
• It will ask for administrator rights in a
loop, until the user finally gives in and
grants administrator rights to the app.
• After obtaining admin rights, the app will
hide its icon or it will simulate some
antivirus activity.

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 5


Self-protection
• Loapi will fight aggressively against attempts to revoke its admin rights.
• If the user tries to take away its rights, Loapi will lock the screen and close the
window with device manager settings.
• It executes the following code in this situation:

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 6


Self-protection

• Besides preventing the user from revoking its rights,


Loapi is capable of receiving a list of apps that pose
danger from its C&C server.
• The malware uses the list to monitor the installation
and launch of such apps.
• If it detects an app from the list, it will show a fake
message claiming it detected some malware and
prompts the user to delete it…in a loop.

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 7


Advertisement module

• The purpose of this module is to aggressively display ads on the infected


device.
• What the module can do:
• Display video ads and banners
• Open specified URLs
• Create shortcuts on the device
• Show notifications
• Open pages in social networks (Facebook, Instagram, etc.)
• Download and install other applications

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 8


Advertisement module

• Example of a task to show ads


received from the C&C server
• While handling this task, the
app sends a hidden request
with a specific User-Agent and
Referrer to the web page in the
url, which in turn redirects to a
page with ads.

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 9


SMS module

• This module is used to manipulate text messages.


• It periodically sends requests to the C&C server to obtain relevant settings
and commands.
• Functionality:
• Send inbox SMS messages to the attackers’ server
• Reply to incoming SMS messages according to specific masks (from C&C server)
• Send SMS messages to specified numbers (all info received from C&C server)
• Delete SMS messages from inbox and sent folder
• Execute requests to URL and run specified JavaScript code in the page received as a
response (legacy functionality, was moved to a separate module)

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 10


Web crawling module

• This module is used for hidden JavaScript code execution on web pages with
WAP billing in order to subscribe the user to various services (together with
the ad module)
• WAP billing = mechanism for consumers to purchase content from WAP
(Wireless Application Protocol) sites that is charged directly to the mobile
phone bill.
• Together with the ad module, this module tried to open around 28,000 unique
URLs during a 24-hour experiment (Kaspersky labs experiment).

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 11


Proxy module

• This module is an implementation of a HTTP proxy server that allows the


attackers to send HTTP requests from the infected device.
• This can be used in DDoS attacks.
• This module can also change the internet connection type on a device (from
data to Wi-Fi and vice-versa).

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 12


Miner module

• The purpose of this module is to mine Monero cryptocurrency.


• The mining process is initiated using the following code:

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 13


Layered architecture

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 14


Layered architecture

• The Trojans’ architecture consists of three stages:


• In the first stage, the app loads a file from the “assets” folder, decodes it using Base64
and then decrypts it using XOR operations and the app signature hash as a key. After
these operations, it retrieves a DEX file with a payload which is loaded with
ClassLoader.
• In the second stage, the app sends a JSON with information about the device to the C&C
server (hxxps://api-profit.com)
• In the third stage, the modules are downloaded and initialized

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 15


Layered architecture
• Example of JSON with device
information:
• The C&C server will respond with a
command

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 16


Layered architecture

• installs = list of module IDs that have to be downloaded and launched


• removes = list of module IDs that have to be deleted
• domains = list of domains to be used as C&C servers
• reservedDomains = list of reserved additional domains
• hic = flag that shows that the app icon should be hidden from the user
• dangerousPackages = list of apps that must be prevented from launching and
installing

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 17


Manifest analysis

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 18


Manifest analysis

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 19


Conclusion and protection methods

• Loapi uses an almost entire spectrum of techniques for attacking devices.


• It’s only missing user espionage, but since it uses a modular architecture, a
module with this functionality could be added in the future.
• Protection methods:
• Install apps only from official stores (Google Play)
• Disable installation of apps from unknown sources

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 20


Kaspersky experiment results

After 48 hours, the battery of the test smartphone overcooked

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 21


References

• https://securelist.com/jack-of-all-trades/83470/
• https://www.kaspersky.com/blog/loapi-trojan/20510/
• https://www.virustotal.com/en/file/f24f90b8c71fabed544895f14d2f10b0
d3b37eec41521841fe623fa9a1c5ebad/analysis/

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 22


Thank you for your attention!
Questions?

TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 23

You might also like