Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Removal Attempt Turns Android Banking Trojan Into Ransomware

Researchers at SfyLabs have detailed the capabilities of an Android banking Trojan named LokiBot that is designed to turn into a piece of ransomware when users attempt to remove it from their devices.

LokiBot has been around since at least June and its authors have been rolling out new features nearly every week.

Researchers at SfyLabs have detailed the capabilities of an Android banking Trojan named LokiBot that is designed to turn into a piece of ransomware when users attempt to remove it from their devices.

LokiBot has been around since at least June and its authors have been rolling out new features nearly every week.

Once it infects an Android device (running Android version 4.0 or later), the malware starts displaying overlay screens on top of banking and other popular apps in an effort to trick victims into handing over their information. The malware targets roughly 100 banking applications and popular apps such as WhatsApp, Skype and Outlook.

The malware can also open the user’s web browser and navigate to a specified page, reply to SMS messages, and launch banking apps.

“Combine this with the fact that LokiBot can show notifications which seem to come from other apps, containing for example a message that new funds have been deposited to the victim’s account and interesting phishing attack scenarios arise!” SfyLabs researchers said in a blog post. “The phishing notifications use the original icon of the application they try to impersonate. In addition, the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack.”

The most interesting feature, which has led researchers to classify LokiBot as a hybrid Android malware, is its ability to turn into ransomware when users attempt to remove it.

Specifically, when users try to revoke its admin privileges, the malware initiates a procedure to encrypt all files on the device’s external storage and locks the screen with a typical ransom demand claiming that the phone is locked for “viewing child pornography.” Victims are given 48 hours to pay a $70 – $100 “fine” in bitcoin.

LokiBot ransom screen

SfyLabs found that the bitcoin address provided by the cybercriminals already stores cryptocurrency worth roughly $1.5 million. However, it’s unlikely that the entire amount comes from LokiBot attacks as the campaigns spotted by experts generally have only around 1,000 bots and the cost of the Trojan itself is $2,000.

Researchers noticed that while the screen-locking functionality works, the malware doesn’t actually encrypt files. Due to an error, files are automatically restored after being encrypted, but with a different name.

The malware’s developers have implemented some mechanisms designed to prevent dynamic analysis, but they are not particularly sophisticated, especially compared to other malware.

It’s worth noting that there is another Loki Bot malware that targets Windows devices. This threat is designed to steal data from infected computers and it has reportedly been used as a secondary payload in the NotPetya attack launched in late June.

Related: Android Ransomware Abuses Accessibility Services

Related: Android Malware Exploits Dirty COW Vulnerability

Related: Android Malware Found on Google Play Abuses Accessibility Service

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.