LokiBot

Security researchers have spotted a new Android banking trojan named LokiBot that turns into ransomware and locks users' phones when they try to remove its admin privileges.

The malware is more banking trojan than ransomware — according to SfyLabs researchers, the ones who discovered it — and is used for this purpose primarily.

Just like similar Android banking trojans, LokiBot works by showing fake login screens on top of popular apps. LokiBot targets mobile banking apps by design, but also popular non-banking apps such as Skype, Outlook, and WhatsApp.

LokiBot sold online for $2,000

Similar to Svpeng, CryEye, DoubleLocker, ExoBot, and other recent Android malware families, LokiBot is also sold online on hacking forums. The price for a full LokiBot license is $2,000, paid in Bitcoin.

LokiBot has its own unique features compared to other Android banking trojans. For starters, it can open a mobile browser and load an URL and will install a SOCKS5 proxy to redirect outgoing traffic.

It can also automatically reply to SMS messages and send SMS messages to all of the victim's contacts, a feature most likely used to send SMS spam and infect new users.

Last but not least, LokiBot can also show "fake" notifications disguised as coming from other apps. The malware uses this feature to trick users into thinking they've received money in their bank account and open the mobile banking app. When the user taps the notification, Lokibot shows the phishing overlay instead of the real app.

LokiBot ransomware behavior is faulty

The malware works on Android 4.0 and higher and requires administrator privileges, which it asks during installation.

If users detect something fishy about the malware and they move to remove its administrator privileges, LokiBot will trigger its ransomware behavior.

The good news is that the ransomware routine is not implemented correctly and fails to encrypt users' files.

According to SfyLabs, LokiBot's "Go_Crypt" ransomware function is supposed to lock the user's screen and encrypt files with an AES128 algorithm.

"The encryption function in this ransomware utterly fails, because even though the original files are deleted, the encrypted file is decrypted [immediately] and written back to itself," SfyLabs says. "Thus, victims won't lose their files, they are only renamed."

Phone gets locked anyway

The bad news is that regardless of the file encryption routine, the phone's screen will get locked anyway with a ransom note asking between $70 and $100.

LokiBot ransom note

To remove this screen, users have to boot into Safe Mode and remove LokiBot's admin user and the LokiBot-infected app.

Even if the ransomware feature is not LokiBot's main money-making scheme, some of the crooks behind this campaign are making quite the nice profit, as the Bitcoin wallets shown in the ransom notes hold Bitcoin in excess of $1.5 million.

Two weeks ago, ESET discovered DoubleLocker, an Android ransomware that evolved from the Svpeng banking trojan. Unlike LokiBot, DoubleLocker was deployed as a ransomware first, and its file encryption routine was fully functional.

SfyLabs has published LokiBot IOCs and the list of apps the trojan targets with overlay screens.

LokiBot is also the name of another strain of Windows malware, an information-stealing trojan.