New Android Banking Trojan ‘LokiBot’ Transforms Into Ransomware

Ransomware Cyber Security Concept

A new security threat has been discovered in the banking Trojan LokiBot, which targets millions of smartphones with Android version 4.0 or higher.

If you are familiar with the kind of security threats that are popping up these days, you might have seen this one coming too. Cyber security researchers have identified a new kind of Android banking Trojan they call “LokiBot.”

The threat this malicious software poses makes researchers debate whether to classify it as malware or ransomware. But according to the experts at SfyLabs, the malware has more characteristics of an Android banking Trojan than a form of ransomware.

LokiBot Targets Your Favorite Apps

This cutting-edge malware targets not only the mobile banking applications that you use, but also the non-banking apps such as WhatsApp, Outlook, Skype and other popular social media platforms.

If this wasn’t enough, the malware is even capable of scanning and copying the contacts saved in your mobile phone. Similarly, it can read and send SMS messages from the device as well.

The Threat this Android banking Trojan Poses

Data security is only one part of the threat. The worst part is that LokiBot can lock users from accessing their own mobile phones. The malicious Trojan quickly turns into a ransomware as soon as users try to revoke this app’s admin privileges.

Right after this, the user’s device screens are locked and they won’t open until the supposed “ransom” is paid. The malware targets Android version 4.0 and higher, which is currently the largest pool of Android smartphone users across the globe.

The Trojan’s Modus Operandi

At first, LokiBot would work like just any other Android banking Trojan by showing fake login screens on top of other apps. It steals private user information and also makes the transactions on their behalf.

Ransomware Cyber Attack

Bitcoin wallets that are shown along with the ransom notes currently hold Bitcoin values of more than $1.5 million.

The Android banking Trojan shows “fake” notifications that users suppose are actually coming from other apps on their phone. The malware then uses this feature to trick users into believing they have received money in their account, prompting them to open their mobile banking app.

When the user taps this notification, the bot shows another overlay on top of the real app for the purpose of phishing. Then, it encrypts the user’s data in a way that it renders the phone almost unusable if the Trojan should be removed. Additionally, users are locked out of their phone at the same time.

More often than not, users try to revoke the special administrator privileges which the Android banking Trojan had asked for initially when it was being installed in the user’s phone. What follows right after this is a ransom note which demands around $70 to $100 from the Trojan’s victims.

At times, it displays messages on the screen such as this one: “Your phone has been locked for watching child pornography.” The payment is requested in Bitcoins and the attackers share instructions on how to transfer the funds via digital wallets.

Android Banking Trojan Sold Online for $2,000

The cybercriminals who have created LokiBot have been selling the Trojan on the dark web to other criminals in their community. If the price listed for the software is deemed correct, the Android banking Trojan is worth $2,000 (in Bitcoins).

This is not the first Android banking Trojan that has been sold on the dark web—there have been other similar malware programs recently posted for sale on hacker forums such as Svpeng, which was discovered in 2013, as well as the ExoBot Trojan that surfaced last year and DoubleLocker, which was discovered by researchers earlier this month.

What to Do if Your Device is Affected

The good news is that the Android banking Trojan is unable to completely encrypt the user’s data once it infects their device. The ransomware’s encryption function fails and the victims don’t lose their data. Experts note that the files are only renamed and not deleted from the phone.

To remove the lock screen, users need to boot their device’s Safe Mode and revoke Android banking Trojan’s admin access. From there, they can uninstall the infected apps.

Even though the ransomware function may not be LokiBot’s main monetization strategy, the creators of this malware are making a decent chunk of money as a reward for their efforts, as the Bitcoin wallets that are shown along with the ransom notes currently hold Bitcoin values of more than $1.5 million.

To help offer the community an understanding of these security threats, SfyLabs has published a list of apps that the Android banking Trojan seeks to target with fake overlay screens.

Leave a Reply