{ "id": "fce6da49-336b-428b-9233-c8a0178bf930", "created_at": "2026-04-06T00:16:47.464144Z", "updated_at": "2026-04-10T03:31:18.924242Z", "deleted_at": null, "sha1_hash": "54edcc6bf062d3a00cefae743bfb7c396cc11409", "title": "Jack of all trades", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3208833, "plain_text": "Jack of all trades\r\nBy Nikita Buchka\r\nPublished: 2017-12-18 · Archived: 2026-04-05 17:12:17 UTC\r\nNowadays, it’s all too easy to end up with malicious apps on your smartphone, even if you’re using the official\r\nGoogle Play app store. The situation gets even worse when you go somewhere other than the official store – fake\r\napplications, limited security checks, and so on. However, the spread of malware targeting Android OS is not\r\nlimited to unofficial stores – advertising, SMS-spam campaigns and other techniques are also used. Among this\r\narray of threats we found a rather interesting sample – Trojan.AndroidOS.Loapi. This Trojan boasts a complicated\r\nmodular architecture that means it can conduct a variety of malicious activities: mine cryptocurrencies, annoy\r\nusers with constant ads, launch DDoS attacks from the affected device and much more. We’ve never seen such a\r\n‘jack of all trades’ before.\r\nDistribution and infection\r\nSamples of the Loapi family are distributed via advertising campaigns. Malicious files are downloaded after the\r\nuser is redirected to the attackers’ malicious web resource. We found more than 20 such resources, whose domains\r\nrefer to popular antivirus solutions and even a famous porn site. As we can see from the image below, Loapi\r\nmainly hides behind the mask of antivirus solutions or adult content apps:\r\nAfter the installation process is finished, the application tries to obtain device administrator permissions, asking\r\nfor them in a loop until the user agrees. Trojan.AndroidOS.Loapi also checks if the device is rooted, but never\r\nsubsequently uses root privileges – no doubt they will be used in some new module in the future.\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 1 of 15\n\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 2 of 15\n\nAfter acquiring admin privileges, the malicious app either hides its icon in the menu or simulates various antivirus\r\nactivity, depending on the type of application it masquerades as:\r\nSelf-protection\r\nLoapi aggressively fights any attempts to revoke device manager permissions. If the user tries to take away these\r\npermissions, the malicious app locks the screen and closes the window with device manager settings, executing\r\nthe following code:\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 3 of 15\n\nAs well as this fairly standard technique to prevent removal, we also found an interesting feature in the self-protection mechanism. The Trojan is capable of receiving from its C\u0026C server a list of apps that pose a danger.\r\nThis list is used to monitor the installation and launch of those dangerous apps. If one of the apps is installed or\r\nlaunched, then the Trojan shows a fake message claiming it has detected some malware and, of course, prompts\r\nthe user to delete it:\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 4 of 15\n\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 5 of 15\n\nThis message is shown in a loop, so even if the user rejects the offer, the message will be shown again and again\r\nuntil the user finally agrees and deletes the application.\r\nLayered architecture\r\nLet’s take a look at the Trojan’s architecture in more detail:\r\n1. 1 At the initial stage, the malicious app loads a file from the “assets” folder, decodes it using Base64 and\r\nafterwards decrypts it using XOR operations and the app signature hash as a key. A DEX file with payload,\r\nwhich was retrieved after these operations, is loaded with ClassLoader.\r\n2. 2\r\nAt the second stage, the malicious app sends JSON with information about the device to the central C\u0026C\r\nserver hxxps://api-profit.com:\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 6 of 15\n\nA command in the following format is received as a response from the server:\r\nWhere “installs” is a list of module IDs that have to be downloaded and launched; “removes” is a list of\r\nmodule IDs that have to be deleted; “domains” is a list of domains to be used as C\u0026C servers;\r\n“reservedDomains” is an additional reserved list of domains; “hic” is a flag that shows that the app icon\r\nshould be hidden from the user; and “dangerousPackages” is a list of apps that must be prevented from\r\nlaunching and installing for self-protection purposes.\r\n3. 3 At the third stage, the modules are downloaded and initialized. All the malicious functionality is\r\nconcealed inside them. Let’s take a closer look at the modules we received from the cybercriminals’ server.\r\nAdvertisement module\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 7 of 15\n\nPurpose and functionality: this module is used for the aggressive display of advertisements on the user’s device. It\r\ncan also be used for secretly boosting ratings. Functionality:\r\nDisplay video ads and banners\r\nOpen specified URL\r\nCreate shortcuts on the device\r\nShow notifications\r\nOpen pages in popular social networks, including Facebook, Instagram, VK\r\nDownload and install other applications\r\nExample of task to show ads received from the server:\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 8 of 15\n\nWhile handling this task, the application sends a hidden request with a specific User-Agent and Referrer to the\r\nweb page hxxps://ronesio.xyz/advert/api/interim, which in turn redirects to a page with the ads.\r\nSMS module\r\nPurpose and functionality: this module is used for different manipulations with text messages. Periodically sends\r\nrequests to the C\u0026C server to obtain relevant settings and commands. Functionality:\r\nSend inbox SMS messages to attackers’ server\r\nReply to incoming messages according to specified masks (masks are received from C\u0026C server)\r\nSend SMS messages with specified text to specified number (all information is received from C\u0026C server)\r\nDelete SMS messages from inbox and sent folder according to specified masks (masks are received from\r\nC\u0026C server)\r\nExecute requests to URL and run specified Javascript code in the page received as a response (legacy\r\nfunctionality that was later moved to a separate module)\r\nWeb crawling module\r\nPurpose and functionality: this module is used for hidden Javascript code execution on web pages with WAP\r\nbilling in order to subscribe the user to various services. Sometimes mobile operators send a text message asking\r\nfor confirmation of a subscription. In such cases the Trojan uses SMS module functionality to send a reply with\r\nthe required text. Also, this module can be used for web page crawling. An example of a web page crawling task\r\nreceived from the server is shown below:\r\nThis module together with the advertisement module tried to open about 28,000 unique URLs on one device\r\nduring our 24-hour experiment.\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 9 of 15\n\nProxy module\r\nPurpose and functionality: this module is an implementation of an HTTP proxy server that allows the attackers to\r\nsend HTTP requests from the victim’s device. This can be used to organize DDoS attacks against specified\r\nresources. This module can also change the internet connection type on a device (from mobile traffic to Wi-Fi and\r\nvice versa).\r\nMining Monero\r\nPurpose and functionality: this module uses the Android version of minerd to perform Monero (XMR)\r\ncryptocurrency mining. Mining is initiated using the code below:\r\nThe code uses the following arguments:\r\nurl – mining pool address, “stratum+tcp://xmr.pool.minergate.com:45560”\r\nthis.user – username, value randomly selected from the following list: “lukasjeromemi@gmail.com”,\r\n“jjopajopaa@gmail.com”, “grishaobskyy@mail.ru”, “kimzheng@yandex.ru”, “hirt.brown@gmx.de”,\r\n“swiftjobs@rambler.ru”, “highboot1@mail333.com”, “jahram.abdi@yandex.com”,\r\n“goodearglen@inbox.ru”, girlfool@bk.ru\r\npassword – constant value, “qwe”\r\nOld ties\r\nDuring our investigation we found a potential connection between Loapi and Trojan.AndroidOS.Podec. We\r\ngathered some evidence to support this theory:\r\nMatching C\u0026C server IP addresses. The current address of the active Loapi C\u0026C server is resolved with\r\nDNS to 5.101.40.6 and 5.101.40.7. But if we take a look at the history, we can see other IP addresses to\r\nwhich this URL resolved before:\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 10 of 15\n\nAt first, this URL was resolved to the IP address 91.202.62.38. If we analyze the history of DNS records\r\nthat resolved to this address, we see the following:\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 11 of 15\n\nAs we can see from the records, in 2015 (when Podec was active), this IP address was resolved from\r\nvarious generated domains, and many of them were used in Podec (for example, obiparujudyritow.biz, in\r\nthe 0AF37F5F07BBF85AFC9D3502C45B81F2 sample).\r\nMatching unique fields at the initial information collection stage. Both Trojans collect information with\r\nsimilar structure and content and send it in JSON format to the attackers’ server during the initial stage.\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 12 of 15\n\nBoth JSON objects have the fields “Param1”, “Param2” and “PseudoId”. We performed a search in our\r\ninternal ElasticSearch clusters – where we store information about clean and malicious applications – and\r\nfound these fields were only used in Podec and Loapi.\r\nSimilar obfuscation.\r\nSimilar ways of detecting SU on a device.\r\nSimilar functionality (both can subscribe users to paid services).\r\nNone of these arguments can be considered conclusive proof of our theory, but taken together they suggest there’s\r\na high probability that the malicious applications Podec and Loapi were created by the same group of\r\ncybercriminals.\r\nConclusion\r\nLoapi is an interesting representative from the world of malicious Android apps. It’s creators have implemented\r\nalmost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services,\r\nsend SMS messages to any number, generate traffic and make money from showing advertisements, use the\r\ncomputing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on\r\nbehalf of the user/device. The only thing missing is user espionage, but the modular architecture of this Trojan\r\nmeans it’s possible to add this sort of functionality at any time.\r\nP.S.\r\nAs part of our dynamic malware analysis we installed the malicious application on a test device. The images\r\nbelow show what happened to it after two days:\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 13 of 15\n\nBecause of the constant load caused by the mining module and generated traffic, the battery bulged and deformed\r\nthe phone cover.\r\nC\u0026C\r\nronesio.xyz (advertisement module)\r\napi-profit.com:5210 (SMS module and mining module)\r\nmnfioew.info (web crawler)\r\nmp-app.info (proxy module)\r\nDomains\r\nList of web resources from which the malicious application was downloaded:\r\nDomain IP\r\na2017-security.com 91.202.62.45\r\nalert.com–securitynotice.us 104.18.47.240,104.18.46.240\r\nalibabadownload.org 91.202.62.45\r\nantivirus-out.net 91.202.62.45\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 14 of 15\n\nantivirus360.ru\r\n91.202.62.45,31.31.204.59,95.213.165.247,\r\n194.58.56.226,194.58.56.50\r\nclean-application.com 91.202.62.45\r\ndefenderdevicebiz.biz 104.27.178.88,104.27.179.88\r\nfixdevice.biz 104.18.45.199,104.18.44.199\r\nhighspeard.eu 91.202.62.45\r\nhoxdownload.eu 91.202.62.45\r\nlilybrook.ru 104.24.113.21,104.24.112.21\r\nnootracks.eu 91.202.62.45\r\nnoxrow.eu 91.202.62.45\r\ns4.pornolub.xyz 91.202.62.45\r\nsidsidebottom.com 9.56.163.55,104.27.128.72\r\ntitangelx.com 104.27.171.112,104.27.170.112\r\ntrust.com-mobilehealth.biz 04.27.157.60,104.27.156.60\r\ntrust.com-securitynotice.biz 104.31.68.110,104.31.69.110\r\nvioletataylor.ru 104.31.88.236,104.31.89.236\r\nSource: https://securelist.com/jack-of-all-trades/83470/\r\nhttps://securelist.com/jack-of-all-trades/83470/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/jack-of-all-trades/83470/" ], "report_names": [ "83470" ], "threat_actors": [ { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434607, "ts_updated_at": 1775791878, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/54edcc6bf062d3a00cefae743bfb7c396cc11409.pdf", "text": "https://archive.orkl.eu/54edcc6bf062d3a00cefae743bfb7c396cc11409.txt", "img": "https://archive.orkl.eu/54edcc6bf062d3a00cefae743bfb7c396cc11409.jpg" } }