Jack of all Trades Malware Discovered

[DooKey]

A new android trojan that is distributed by advertising campaigns, Trojan.AndroidOS.Loapi, is making the rounds and this one is a bit different. Loapi is a modular trojan that can conduct many different attacks. It can mine crypto, launch DDoS attacks, annoy with constant ads and other types of nefarious stuff. Take a look at Securelist to get all the details on this nasty little piece of work.

Samples of the Loapi family are distributed via advertising campaigns. Malicious files are downloaded after the user is redirected to the attackers’ malicious web resource. We found more than 20 such resources, whose domains refer to popular antivirus solutions and even a famous porn site.

 

[bwanaaa]

For an even more nefarious twist, when you hit the unsubscribe button in the phishing email, you get sent to the website that loads the Trojans

 

[niconx]

Because Google can't update devices themselves. One day Google will invent Windows Update instead of using flimsy package managers as an excuse for a software updater.

 

[Jim Kim]

First we had All-In-One printers and now we got Jack of All Trades Malware. Merry Christmas

 

[Zarathustra[H]]

Great.

So, it's enough to visit a site that runs an ad and your affected?

I've been saying this for a long time, but organizations that manage advertising platforms online should be required to have a human review each ad before it goes live, and review any code associated with it, to make sure it is not malignant.

 

[Zarathustra[H]]

Because Google can't update devices themselves. One day Google will invent Windows Update instead of using flimsy package managers as an excuse for a software updater.

I agree that the desktop model is what Google should use for Android devices, but I'd argue package managers in general (like what are offered on most Linux distributions) do a much better job than Windows Update does. The problem with Android is that the core functionality is not in packages that can be managed by the package manager, and thus cannot be updated that way.

Furthermore, every damned OEM feels like they need to distinguish themselves from other Android handset makers by altering the base Android code, which is just plan stupidity.

To address security concerns, Google should put their foot down, and require a unified code base for all Android devices. If Samsung or LG want to distinguish themselves, they can do this with their own packages, (like launchers, etc.) not by modifying base code. All the OEM's should be doing is providing hardware and drivers, not modifying the android code base.

That being said, it would help if Google's AOSP code were actually compile-able as it stands. Right now you can't just download AOSP source code, compile it and put it on a phone. You HAVE to edit the code to make it actually compile, and this results in the non-unified code base.

So, it's not just OEM's fault, but a healthy portion of the blame also belongs with Google.

Sadly it appears as if Google is moving in the wrong direction on this. They seem less and less concerned with privacy and security as time goes on, which drives me up a wall, and makes me wonder whatever happened with that Ubuntu Phone project...

 

[taz-nz]

Crazy thing is despite Windows Phone being an abandoned platform, my Lumia 650 got a security update last night.

I have no idea what I'm going to do when I'm forced to change away from Windows Phone, I refuse to pay Apple prices for something I'll throw out in 2 years, and Android is security disaster zone.

 

[Zarathustra[H]]

Crazy thing is despite Windows Phone being an abandoned platform, my Lumia 650 got a security update last night.

I have no idea what I'm going to do when I'm forced to change away from Windows Phone, I refuse to pay Apple prices for something I'll throw out in 2 years, and Android is security disaster zone.

There are some Android phones that get frequent security patches. The Pixels do (but they also cost almost as much as Apple devices)

If you aren't afraid of running 3rd party ROM's LineageOS supports a lot of devices and has some of the best and fastest security patching of any phone.

 

[B00nie]

And another cryptocrime. Time to ban the shit.

 

[auntjemima]

There are some Android phones that get frequent security patches. The Pixels do (but they also cost almost as much as Apple devices)

If you aren't afraid of running 3rd party ROM's LineageOS supports a lot of devices and has some of the best and fastest security patching of any phone.

Buying a used Nexus device is also a good idea. Really any phone that receives updates from Google directly.

 

[tazeat]

Mining crypto on a phone, that's going to be effective lol. You're just pissing off the target with ruining their battery at that point.

 

[Dead Parrot]

Sites that offer up ads/scripts from other domains should be held legally liable for any and all damages that comes from referring visitors to the ad site and matching java script attack vector.

You want the ad revenue? Trying to save coding time? You should assume the risk.

 

[Spidey329]

And another cryptocrime. Time to ban the shit.

What? Because one module happens to load a miner? All that does is use your hardware to mine. The other payloads steal your banking information, should we ban online banking as well? A lot of crime is committed because of it.

You seem to have an unresolved hatred for everything Cryptocoin. Were you bullied by a private key or something?

 

[Azphira]

Just thinking with pictures again...

 

[Zarathustra[H]]

Sites that offer up ads/scripts from other domains should be held legally liable for any and all damages that comes from referring visitors to the ad site and matching java script attack vector.

You want the ad revenue? Trying to save coding time? You should assume the risk.

I partially agree, but at the same time, the websites are often the little guys, and may not be able to. It's tight enough running an independent site.

I'd like the big ad firms, Google and the likes to be legally required to monitor all the content that they serve, and be liable for it.

 

[niconx]

What? Because one module happens to load a miner? All that does is use your hardware to mine. The other payloads steal your banking information, should we ban online banking as well? A lot of crime is committed because of it.

You seem to have an unresolved hatred for everything Cryptocoin. Were you bullied by a private key or something?

Because lack of regulation and accountability empowers organized crime. That's exactly what crypto stands for.

 

[Zarathustra[H]]

Mining crypto on a phone, that's going to be effective lol. You're just pissing off the target with ruining their battery at that point.

Unless you program it so that it only runs when the phone is plugged in.

Any malware like that is going to be the most effective if the user doesn't remove it. If it only runs when it is plugged in, they might wonder why their phone gets so hot wile charging, and why it takes so long, but they will likely not take as drastic action as if they don't get any real battery life

 

[B00nie]

What? Because one module happens to load a miner? All that does is use your hardware to mine. The other payloads steal your banking information, should we ban online banking as well? A lot of crime is committed because of it.

You seem to have an unresolved hatred for everything Cryptocoin. Were you bullied by a private key or something?

First: it's nonsense. And second the nonsense inflates the GPU prices through the roof. Third, most cyber crime demand payment in coin, drugs are traded with bitcoin online... nothing but negative aspects of the whole thing.

 

[Monkey34]

Don't believe a word of it. It's from Kaspersky. The [H] says it's all lies from the Russian government.

 

[tazeat]

Unless you program it so that it only runs when the phone is plugged in.

Any malware like that is going to be the most effective if the user doesn't remove it. If it only runs when it is plugged in, they might wonder why their phone gets so hot wile charging, and why it takes so long, but they will likely not take as drastic action as if they don't get any real battery life

Except for the fact it would have essentially no purpose except for annoying someone. Even with 10k phones I highly doubt you could make more than a couple bucks over the course of the malware's lifetime. Gotta be something better to do with those drones.