Scribd Logo
Upload

Welcome to Scribd!

  • Loapi Malware

    Uploaded by

    Francisc Moldovan
    452 views23 pages
    loapi malware presentation

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    loapi malware presentation

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    452 views23 pages

    Loapi Malware

    Uploaded by

    Francisc Moldovan
    loapi malware presentation

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    LOAPI MALWARE

    AUTHOR: VLAD PUSCAS

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 1


    Content

    • What is Loapi?
    • Distribution
    • Infection
    • Self-protection
    • Modules
    • Layered architecture
    • Manifest analysis
    • Conclusion and protection methods
    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 2
    What is Loapi?

    • Also known as “Jack of all trades”


    • It’s a Trojan malware
    • Uses a modular architecture in order to conduct various malicious
    activities:
    • Mine cryptocurrencies
    • Annoy users with constant ads
    • Launch DDoS attacks from infected devices
    • Manipulate SMS messages
    • Subscribe users to various paid subscriptions
    • And perhaps even more…

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 3


    Distribution

    • Loapi is distributed via advertising campaigns.


    • The malicious files are downloaded after the user is redirected to the
    attackers’ malicious web resource.
    • Loapi masks itself as antivirus apps or adult content apps.

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 4


    Infection

    • After the user installs the malware, the


    application will try to obtain
    administrator rights.
    • It will ask for administrator rights in a
    loop, until the user finally gives in and
    grants administrator rights to the app.
    • After obtaining admin rights, the app will
    hide its icon or it will simulate some
    antivirus activity.

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 5


    Self-protection
    • Loapi will fight aggressively against attempts to revoke its admin rights.
    • If the user tries to take away its rights, Loapi will lock the screen and close the
    window with device manager settings.
    • It executes the following code in this situation:

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 6


    Self-protection

    • Besides preventing the user from revoking its rights,


    Loapi is capable of receiving a list of apps that pose
    danger from its C&C server.
    • The malware uses the list to monitor the installation
    and launch of such apps.
    • If it detects an app from the list, it will show a fake
    message claiming it detected some malware and
    prompts the user to delete it…in a loop.

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 7


    Advertisement module

    • The purpose of this module is to aggressively display ads on the infected


    device.
    • What the module can do:
    • Display video ads and banners
    • Open specified URLs
    • Create shortcuts on the device
    • Show notifications
    • Open pages in social networks (Facebook, Instagram, etc.)
    • Download and install other applications

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 8


    Advertisement module

    • Example of a task to show ads


    received from the C&C server
    • While handling this task, the
    app sends a hidden request
    with a specific User-Agent and
    Referrer to the web page in the
    url, which in turn redirects to a
    page with ads.

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 9


    SMS module

    • This module is used to manipulate text messages.


    • It periodically sends requests to the C&C server to obtain relevant settings
    and commands.
    • Functionality:
    • Send inbox SMS messages to the attackers’ server
    • Reply to incoming SMS messages according to specific masks (from C&C server)
    • Send SMS messages to specified numbers (all info received from C&C server)
    • Delete SMS messages from inbox and sent folder
    • Execute requests to URL and run specified JavaScript code in the page received as a
    response (legacy functionality, was moved to a separate module)

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 10


    Web crawling module

    • This module is used for hidden JavaScript code execution on web pages with
    WAP billing in order to subscribe the user to various services (together with
    the ad module)
    • WAP billing = mechanism for consumers to purchase content from WAP
    (Wireless Application Protocol) sites that is charged directly to the mobile
    phone bill.
    • Together with the ad module, this module tried to open around 28,000 unique
    URLs during a 24-hour experiment (Kaspersky labs experiment).

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 11


    Proxy module

    • This module is an implementation of a HTTP proxy server that allows the


    attackers to send HTTP requests from the infected device.
    • This can be used in DDoS attacks.
    • This module can also change the internet connection type on a device (from
    data to Wi-Fi and vice-versa).

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 12


    Miner module

    • The purpose of this module is to mine Monero cryptocurrency.


    • The mining process is initiated using the following code:

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 13


    Layered architecture

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 14


    Layered architecture

    • The Trojans’ architecture consists of three stages:


    • In the first stage, the app loads a file from the “assets” folder, decodes it using Base64
    and then decrypts it using XOR operations and the app signature hash as a key. After
    these operations, it retrieves a DEX file with a payload which is loaded with
    ClassLoader.
    • In the second stage, the app sends a JSON with information about the device to the C&C
    server (hxxps://api-profit.com)
    • In the third stage, the modules are downloaded and initialized

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 15


    Layered architecture
    • Example of JSON with device
    information:
    • The C&C server will respond with a
    command

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 16


    Layered architecture

    • installs = list of module IDs that have to be downloaded and launched


    • removes = list of module IDs that have to be deleted
    • domains = list of domains to be used as C&C servers
    • reservedDomains = list of reserved additional domains
    • hic = flag that shows that the app icon should be hidden from the user
    • dangerousPackages = list of apps that must be prevented from launching and
    installing

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 17


    Manifest analysis

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 18


    Manifest analysis

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 19


    Conclusion and protection methods

    • Loapi uses an almost entire spectrum of techniques for attacking devices.


    • It’s only missing user espionage, but since it uses a modular architecture, a
    module with this functionality could be added in the future.
    • Protection methods:
    • Install apps only from official stores (Google Play)
    • Disable installation of apps from unknown sources

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 20


    Kaspersky experiment results

    After 48 hours, the battery of the test smartphone overcooked

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 21


    References

    • https://securelist.com/jack-of-all-trades/83470/
    • https://www.kaspersky.com/blog/loapi-trojan/20510/
    • https://www.virustotal.com/en/file/f24f90b8c71fabed544895f14d2f10b0
    d3b37eec41521841fe623fa9a1c5ebad/analysis/

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 22


    Thank you for your attention!
    Questions?

    TECHNICAL UNIVERSITY OF CLUJ-NAPOCA 23

    You might also like