LokiBot virus attacks Android devices, has ransomware-like features

LokiBot Android virus transforms into ransomware once you attempt to remove admin's rights from it

LokiBot banking Trojan can convert itself into a ransomware

Android users should be aware of a new Android virus that is rapidly infecting thousands of smartphone and tablet users worldwide. LokiBot is a complex banking trojan[1] program that automatically converts itself into a ransomware as soon as the victim tries to get rid of it. Once installed, it opens a pop-up asking to give administrative rights of the mobile and then starts collecting bank-related information successfully.

  • Analysts state[2] that the virus is even capable of launching user's banking application, opening browser program or replying to text messages.
  • Moreover, the malware has some specific features — it can develop fake notifications of legitimate bank applications and activate phone vibration function before displaying the notification pop-up.
  • The user is usually deceived to click on the deceptive pop-up, and this is where the overlay attack begins. The virus displays a fake login window that looks like the real one belonging to a particular bank app, however, all information entered into it reaches cybercriminals.

In addition, cyber analytics found out that the activity of Loki-Bot is very similar to the BankBot banking trojan’s[3]. Besides, it is hard to believe that criminals obtained more than 1.5 million dollars only from this one virus. Besides, some researches speculate that both malware variants could have been developed by the same hacker group.

We want to warn you not to try to remove LokiBot Android trojan hastily, or you will trigger an automatic activation of the ransomware.

In other terms, if you try to remove the administrative rights from this malicious app, it will try to lock your data by encrypting the files on SD card using AES-128 algorithm[4]. To restore your information criminals will ask to pay a $70-$100 ransom in Bitcoin.

The sudden increase in LokiBot's distribution can be explained easily. The code of this malicious program was noticed being sold in the underground market for $2000. However, it has its own flaws — the encryption part is corrupted and fails to encode the files on the device correctly. Therefore, the virus functions as a screen-locking malware only.

The data-encrypting virus is faulty, but victims still lose access to their phones

As mentioned previously, the encryption code is corrupted, but the screen locker function works correctly. Thus, victims are locked out of their files.

However, the flaw of the malware prevents the virus from corrupting the data. It only succeeds to rename the files. In other words, the victim can refuse to pay the ransom and still get access to his own files. These will be renamed, but accessible.

Thus, we strongly recommend not to fund criminals' projects and not to pay the ransom. Statistics show that they successfully scammed thousands of people and generated enormous profits illegally.

Instead, you should reboot your phone into Safe Mode and eliminate LokiBot Android virus with a mobile-friendly security software.

Infostealer.LokiBot is designed to spread via spam messages automatically

Malware sets up SOCKS5[5] Internet protocol and automatically spams all contacts with malicious links to infect their devices.

Besides, it can take advantage of the ability to open desired web pages or gather browsing-related data and steal your e-mail account to distribute the ransomware.

You should avoid opening suspicious attachments or links even if they are sent by your friends. Instead, contact your pal via other social networking platform and make sure that his/her device is not hacked.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

Alice Woods is the News Editor at 2-spyware. She has been sharing her knowledge and research data with 2spyware readers since 2014.

Contact Alice Woods
About the company Esolutions