LokiBot – an Android Trojan Virus with Ransomware traits

Recently, security experts at SfyLab have detected a newly developed malware for Android that goes under the name of LokiBot (not to be confused with the LokiBot data-stealing Trojan Horse virus for Windows). This new malicious application belongs to the category of Banking Trojans – a type of malware that uses phishing methods to lure its victims into providing their credit/debit card credentials so that the hacker who’s behind the attack could steal their money.

However, there’s something different and unique about LokiBot – apart from primarily using phishing to trick its victims, the malware has a second stage to its agenda where it operates as a Ransomware virus. Its Ransomware behavior comes second and is only triggered if the user attempts to remove its Administrator privileges that the virus needs in order to carry out its phishing schemes.

More about LokiBot

Despite its Ransomware-like traits, LokiBot is still primarily a Banking Trojan. As such, this virus has the ability to generate and display fake fill-in forms on top of different banking and even some non-banking apps where the user is required to provide personal information that, once filled, would become accessible to the person who controls the virus.

There are several features that seem to come with the this particular banking Trojan. For example, the virus is also able to send out SMS messages from the infected device without the knowledge of the user. The most probable reason for this function of the malware is so that it could further distribute itself to other users by sending them spam messages.

Additionally, this Trojan is also known to be able to redirect the user’s outgoing Internet traffic through a proxy server.

One other possibility is that the virus creates misleading/fake notifications that seem as if they are coming from actual apps on the device. As we already mentioned, the focus is on banking apps so that once such a pop-up is displayed, the user might get tricked into opening the banking application and filling in their personal information inside the fake phishing fill-in form which would allow the attacker to gain access to their online banking account.

In order to do all this, the Trojan malware requires Administrator Privileges on the smartphone. It gains them automatically during the installation if the user agrees to install the malware app. Currently, the virus is being sold online on hacking websites/forums for a price of 2 000 USD similarly to many other Android Trojans.

The Ransomware Behavior

As we mentioned earlier, the Ransomware part of LokiBot stays dormant by default. It only gets triggered if the user realizes that they have malware on their device and tries to remove the Administrator privileges from the malware. If this happens, the virus’ Ransomware behavior comes into play. The malware tries to lock the user’s data by encrypting and also displays a big banner on the device’s screen that doesn’t go away so as to make it impossible for the victim to use their smartphone. Inside this banner, a ransom payment is demanded if the malware’s victim wants to have their data and phone unlocked.

However, the good news is that the data-encryption procedure is flawed and doesn’t work as it’s supposed to according to the researchers at SfyLab. The virus does indeed copy the files into encrypted copies and deletes the originals as most cryptoviruses do but as soon as the encrypted copies are created, they get decrypted which means that the user would still be able to access them.

That said, the screen-locking banner still gets displayed, blocking the access to the phone. Fortunately, dealing with this sort of device lock-up isn’t all that difficult. In such a case, the victim of the hacker attack would have to boot their device into Safe Mode – there, the banner shouldn’t be displayed and the device should be accessible. From within Safe Mode, the user would need to remove the Admin profile that has been created by LokiBot and also the actual virus app. Once this is done, all should be back to normal.

Considerable profits made through the Ransomware part of Loki

Despite being a secondary function of the virus, the Ransomware scheme of Loki still seems to have accumulated substantial profits for some cyber criminals who have used this virus. This is actually not surprising since, although the encryption fails and the banner lock-up is relatively easy to deal with, a lot of users tend to panic at the sight of the ransom note in fear that they won’t be able to regain access to their device and data unless they make the demanded payment. The required ransom sum varies between 70 and 100 USD so it isn’t too much for most people to pay. Still, though, why pay money to hackers when you can handle such an issue in another way? Because of this, it is very important to stay calm even when it seems that there is no way out and that your files or device would stay locked for good. Agreeing to pay the ransom in the case of a Ransomware infection should only be considered as a last resort option and alternative solutions should always be sought after beforehand.