• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

News LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It


Security researchers have spotted a new Android banking trojan named LokiBot that turns into ransomware and locks users' phones when they try to remove its admin privileges.

The malware is more banking trojan than ransomware — according to SfyLabs researchers, the ones who discovered it — and is used for this purpose primarily

LokiBot sold online for $2,000
Similar to Svpeng, CryEye, DoubleLocker, ExoBot, and other recent Android malware families, LokiBot is also sold online on hacking forums. The price for a full LokiBot license is $2,000, paid in Bitcoin.

LokiBot has its own unique features compared to other Android banking trojans. For starters, it can open a mobile browser and load an URL and will install a SOCKS5 proxy to redirect outgoing traffic.

It can also automatically reply to SMS messages and send SMS messages to all of the victim's contacts, a feature most likely used to send SMS spam and infect new users.

Last but not least, LokiBot can also show "fake" notifications disguised as coming from other apps. The malware uses this feature to trick users into thinking they've received money in their bank account and open the mobile banking app. When the user taps the notification, Lokibot shows the phishing overlay instead of the real app.

LokiBot ransomware behavior is faulty
The malware works on Android 4.0 and higher and requires administrator privileges, which it asks during installation.

If users detect something fishy about the malware and they move to remove its administrator privileges, LokiBot will trigger its ransomware behavior.

The good news is that the ransomware routine is not implemented correctly and fails to encrypt users' files.

According to SfyLabs, LokiBot's "Go_Crypt" ransomware function is supposed to lock the user's screen and encrypt files with an AES128 algorithm.

"The encryption function in this ransomware utterly fails, because even though the original files are deleted, the encrypted file is decrypted [immediately] and written back to itself," SfyLabs says. "Thus, victims won't lose their files, they are only renamed."

LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It