Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Removal Attempt Turns Android Banking Trojan Into Ransomware

Researchers at SfyLabs have detailed the capabilities of an Android banking Trojan named LokiBot that is designed to turn into a piece of ransomware when users attempt to remove it from their devices.

LokiBot has been around since at least June and its authors have been rolling out new features nearly every week.

Researchers at SfyLabs have detailed the capabilities of an Android banking Trojan named LokiBot that is designed to turn into a piece of ransomware when users attempt to remove it from their devices.

LokiBot has been around since at least June and its authors have been rolling out new features nearly every week.

Once it infects an Android device (running Android version 4.0 or later), the malware starts displaying overlay screens on top of banking and other popular apps in an effort to trick victims into handing over their information. The malware targets roughly 100 banking applications and popular apps such as WhatsApp, Skype and Outlook.

The malware can also open the user’s web browser and navigate to a specified page, reply to SMS messages, and launch banking apps.

“Combine this with the fact that LokiBot can show notifications which seem to come from other apps, containing for example a message that new funds have been deposited to the victim’s account and interesting phishing attack scenarios arise!” SfyLabs researchers said in a blog post. “The phishing notifications use the original icon of the application they try to impersonate. In addition, the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack.”

The most interesting feature, which has led researchers to classify LokiBot as a hybrid Android malware, is its ability to turn into ransomware when users attempt to remove it.

Specifically, when users try to revoke its admin privileges, the malware initiates a procedure to encrypt all files on the device’s external storage and locks the screen with a typical ransom demand claiming that the phone is locked for “viewing child pornography.” Victims are given 48 hours to pay a $70 – $100 “fine” in bitcoin.

LokiBot ransom screen

SfyLabs found that the bitcoin address provided by the cybercriminals already stores cryptocurrency worth roughly $1.5 million. However, it’s unlikely that the entire amount comes from LokiBot attacks as the campaigns spotted by experts generally have only around 1,000 bots and the cost of the Trojan itself is $2,000.

Researchers noticed that while the screen-locking functionality works, the malware doesn’t actually encrypt files. Due to an error, files are automatically restored after being encrypted, but with a different name.

The malware’s developers have implemented some mechanisms designed to prevent dynamic analysis, but they are not particularly sophisticated, especially compared to other malware.

It’s worth noting that there is another Loki Bot malware that targets Windows devices. This threat is designed to steal data from infected computers and it has reportedly been used as a secondary payload in the NotPetya attack launched in late June.

Related: Android Ransomware Abuses Accessibility Services

Related: Android Malware Exploits Dirty COW Vulnerability

Related: Android Malware Found on Google Play Abuses Accessibility Service

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.