Security Experts:

Removal Attempt Turns Android Banking Trojan Into Ransomware

Researchers at SfyLabs have detailed the capabilities of an Android banking Trojan named LokiBot that is designed to turn into a piece of ransomware when users attempt to remove it from their devices.

LokiBot has been around since at least June and its authors have been rolling out new features nearly every week.

Once it infects an Android device (running Android version 4.0 or later), the malware starts displaying overlay screens on top of banking and other popular apps in an effort to trick victims into handing over their information. The malware targets roughly 100 banking applications and popular apps such as WhatsApp, Skype and Outlook.

The malware can also open the user’s web browser and navigate to a specified page, reply to SMS messages, and launch banking apps.

“Combine this with the fact that LokiBot can show notifications which seem to come from other apps, containing for example a message that new funds have been deposited to the victim’s account and interesting phishing attack scenarios arise!” SfyLabs researchers said in a blog post. “The phishing notifications use the original icon of the application they try to impersonate. In addition, the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack.”

The most interesting feature, which has led researchers to classify LokiBot as a hybrid Android malware, is its ability to turn into ransomware when users attempt to remove it.

Specifically, when users try to revoke its admin privileges, the malware initiates a procedure to encrypt all files on the device’s external storage and locks the screen with a typical ransom demand claiming that the phone is locked for “viewing child pornography.” Victims are given 48 hours to pay a $70 - $100 “fine” in bitcoin.

LokiBot ransom screen

SfyLabs found that the bitcoin address provided by the cybercriminals already stores cryptocurrency worth roughly $1.5 million. However, it’s unlikely that the entire amount comes from LokiBot attacks as the campaigns spotted by experts generally have only around 1,000 bots and the cost of the Trojan itself is $2,000.

Researchers noticed that while the screen-locking functionality works, the malware doesn’t actually encrypt files. Due to an error, files are automatically restored after being encrypted, but with a different name.

The malware’s developers have implemented some mechanisms designed to prevent dynamic analysis, but they are not particularly sophisticated, especially compared to other malware.

It’s worth noting that there is another Loki Bot malware that targets Windows devices. This threat is designed to steal data from infected computers and it has reportedly been used as a secondary payload in the NotPetya attack launched in late June.

Related: Android Ransomware Abuses Accessibility Services

Related: Android Malware Exploits Dirty COW Vulnerability

Related: Android Malware Found on Google Play Abuses Accessibility Service

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.