Drive-by cryptomining— a practice that uses the CPUs of website visitors to mine crytpocurrencies—has already been found in sites from the Pirate Bay, Showtime, and Politifact, and is gaining popularity. It was recently reported that some sites could utilize other people’s hardware in this way even after they closed their browsers. But a newly discovered piece of Android malware surreptitiously mines Monero so intensely that it can cause physical damage to a phone.
Researchers at Kaspersky Lab say Trojan.AndroidOS.Loapi is distributed through advertising campaigns, though it’s also found in third-party markets, browser ads, and SMS-based spam.
Once installed, the application, which usually comes disguised as an antivirus or porn app, requests device administrator privileges, asking for them in a loop until a user gives in to the harassment and finally agrees. It also checks for root permissions—something the malware could use in the future.
Mobile-based drive-by cryptomining isn’t the only nefarious action this malware performs. It also bombards users with ads, secretly subscribes them to paid services, participates in DDoS attacks, and send texts to any numbers. The sheer number of actions it can perform has led Kaspersky to name it a “jack of all trades.”
But the worst aspect of Loapi is the way it uses handsets to mine Monero. After just two days of exploiting a phone’s electricity and hardware, researchers found the constant load had caused the device’s battery to bulge and deform the cover.
“We've never seen such a 'jack of all trades' before,” said Kaspersky Lab’s researchers. “The only thing missing is user espionage, but the modular architecture of this Trojan means it's possible to add this sort of functionality at any time.”
As always, the best way to avoid Loapi is to avoid downloading suspicious apps from untrusted sources. It sounds obvious, but plenty of people still do it.