Malware is an ever-present threat in the Android world, and a new variant found by Kaspersky managed to physically destroy a test device in its lab by stressing and overheating the device to the point that the battery bulged and broke its external casing. Called a "jack of all trades," Loapi is unique in its extensive capabilities. It starts out as many malware versions do, as a nearly harmless seed program that incessantly seeks device administrator permissions. Once it has them, it can connect to its command server and start downloading encrypted modules, which is when it becomes dangerous. The encryption is how it manages to hide from the Play Store's automatic detection algorithms for malware, and the decryption keys for the encrypted content are hosted on the command server that Loapi connects to.
Loapi 's main avenues to profit are to show ads, mine cryptocurrency, and use a web crawler to sign victims up for services with WAP billing, which will appear on their phone bills. Kaspersky also found an SMS module that could be used maliciously and a proxy module that could potentially be used to employ a victim's device in a DDoS attack. Kaspersky captured some snippets of the code that allow the malware to do all of this without alerting Google or the device's internal security services to its presence, as well as some web domains that it refers to, along with a list of domain names that have occupied one particular address that the malware calls over time. These can be seen in the gallery below. With all of this going on, it's easy to see how Loapi can overwhelm a device and cause it to crash, or even drastically overheat as seen in the featured image above. What makes it even scarier is that it has measures in place to protect itself, using repeated prompts and controlled crashes to keep users from revoking device administrator privileges or using security apps that would detect its activities.
All of the apps that Kaspersky found to contain Loapi in the Play Store have been reported to Google, but there may always be more. The core of Loapi lies in what's fed from the control server, so any malware that can hide from Play Store's security mechanisms and call to that particular server can do the same things as these apps. Mostly, the code was found in fake security and antivirus apps, as well as adult apps, which aren't technically allowed in the Play Store. The moral of this story is the same as almost every other story about Android malware; be careful what you download, never grant suspicious permissions or privileges to an app, and don't assume you're safe just because you're sticking to the Play Store.