LokiBot - Android-Hybrid-Malware

Security researchers have discovered a new Android banking trojan named LokiBot that turns into ransomware and locks user’s phones when they try to remove it’s admin privileges. The Malware is more banking trojan than ransomware according to the researchers.

How does the malware works?

LokiBot works by showing fake login screens on the top of popular apps. LokiBot aims mobile banking apps by design, but also popular non-banking apps such as Skype, Outlook, and WhatsApp. The Malware is sold online for $2,000 worth of Bitcoin.

Malware Characteristics

LokiBot, which works on the Android 4.0 and higher, has a pretty malware capabilities. The Malware has the ability to open a mobile browser and load an URL and the ability to install SOCKS5 proxy to redirect outgoing traffic.

The researchers mentioned that LokiBot has its own interesting features in contrast to other Android banking trojans. The malware can reply to SMS messages, and send SMS messages to all of the victim’s contacts, a feature most likely used to send SMS spam and infect new users.

Even, the malware can open a given web page and show notifications which seem to come from other apps enabling phishing attacks.

LokiBot can also show “false” notifications disguised as coming from other apps. The malware uses this feature to trick users into thinking they have received money in their bank account and open the mobile banking app. When the user taps the notification, Lokibot shows the phishing overlay instead of the real app.

Ransomware Details

The malware requires administrator privileges, which it asks during installation. If the user observes something fishy about the malware and they move to remove its administrator privileges, LokiBot will trigger its ransomware behavior. In addition, it can be activated from the C2 by sending the “Go_Crypt” command.The good news is that the ransomware routine is not implemented correctly and fails to encrypt user’s files.

The bad news is that despite the file encryption routine, the phone’s screen will get locked anyway with a ransom note asking between $70 and $100. In addition, a threat is shown on the screen: “Your phone is locked for viewing child pornography.”


Targeted Apps

  1. Axis Mobile (com.axis.mobile)
  2. Facebook (com.facebook.katana)
  3. Messenger (com.facebook.orca)
  4. Google Play Games (com.google.android.play.games)
  5. HSBC Mobile Banking (com.htsu.hsbcpersonalbanking)
  6. Microsoft Outlook (com.microsoft.office.outlook)
  7. WhatsApp Messenger (com.whatsapp), and more.