The SfyLabs security researchers have found that the Android banking Trojan called LokiBot, is capable of turning into a piece of ransomware while users are trying to remove it.
The LokiBot ransomware has been spotted in June, this year. Since then, the creators of the threat have been constantly adding new features to it.
As soon as the malware infects an Android device (running Android version 4.0 or more recent one), LokiBot starts displaying overlay screens on top of banking and other popular applications, trying to trick victims into handing over their information.
The LokiBot ransomware targets approximately 100 banking applications and popular apps such as Outlook, Skype, and WhatsApp. Besides, the threat is capable of opening the user’s web browser and navigating to a specified page, repling to SMS messages, and launching banking applications.
“Combine this with the fact that LokiBot can show notifications which seem to come from other apps, containing for example a message that new funds have been deposited to the victim’s account and interesting phishing attack scenarios arise!” the SfyLabs experts stated. “The phishing notifications use the original icon of the application they try to impersonate. In addition, the phone is made to vibrate right before the notification is shown so the victim will take notice of it. When the notification is tapped it will trigger an overlay attack.”
Nevertheless, the main feature which made security experts classify LokiBot as a hybrid Android malware, was its ability to turn into ransomware when users try to remove it.
When users try to revoke its admin privileges, LokiBot starts a procedure to encrypt all files on the device’s external storage and locks the screen with a typical ransom demand claiming that the phone is locked for “viewing child pornography.” Then, the malware victims are given 48 hours to pay a $70 – $100 “fine” in bitcoin.
The researchers from SfyLabs found that the bitcoin address which hackers provided already stores cryptocurrency worth approximately $1.5 million. However, the experts hardly believe that the whole amount of money comes from LokiBot attacks as the spam campaigns generally have only around 1,000 bots and the cost of the Trojan itself is $2,000.
The experts also discovered that while the screen-locking functionality works, the malware doesn’t actually encrypt files. Due to an error, files are automatically restored after being encrypted, though, with a different name.
The creators of the LokiBot ransomware have implemented some mechanisms in order to prevent dynamic analysis, however, when compared to other malware, these are not sophisticated enough.
Meanwhile, users should keep in mind that there is another Loki Bot malware targeting Windows devices. It was created to steal data from infected computers and was used this June as a secondary payload in the NotPetya attack.