LokiBot Mutates from Banking Trojan into Ransomware

The LokiBot Trojan

Banking trojans show users a fake screen which simulates the mobile banking interface. Once the victims enter their login credentials, the malware sends the data to hackers, allowing them to access the users’ accounts.

The LokiBot trojan acts almost the same way, however, it simulates not only a banking app screen, but also Outlook, Skype, and WhatsApp client interfaces, displaying notifications pretending to come from these applications.

In other words, users can receive a fake notification, supposedly from their bank, stating that funds have been transferred to their account. Seeing the good news, users log into the mobile banking client for confirmation.

While showing the notification about the alleged transfer, the LokiBot trojan even makes the smartphone vibrate, which helps hoodwink even clued-in users.

Besides, LokiBot has other tricks to catch users’ attention. It can open a browser, navigate to specific pages, and even use an infected device to send spam, which is the way it distributes itself.

As soon as the trojan has stolen money from user’s account, LokiBot keeps operating, sending a malicious SMS to all contacts in the phone book to infect as many smartphones and tablets as possible, and even replying to incoming messages.

In case the victim tries to remove LokiBot, the malware activates another feature: stealing funds from a bank account, where it needs administrator rights. If users try to deny it permission, the threat mutates from a banking Trojan into ransomware.

The LokiBot Ransomware

When acting like a ransomware, LokiBot locks the screen and shows a message accusing the victims of viewing child pornography and demanding ransom, encrypting the data on the device.

While analyzing the LokiBot’s code, the security experts found that it uses weak encryption and doesn’t work properly. The ransomware attack leaves unencrypted copies of all files on the infected device, only under different names, so restoring the files is relatively simple.

Nevertheless, the device screen remains locked, and the developers of the malware demand about $100 in Bitcoin to unlock it. The victims don’t have to obey though. Instead, after rebooting the device in safe mode, the victims can strip the malware of administrator rights and delete it. To do so, users should determine which version of Android they have:

Select Settings.
Select the General tab.
Select About the device.
Find the line Android version.

To enable safe mode on a device with Version 4.4 to 7.1, do the following:

Press and hold the power button until a menu appears with the option Power off or Disconnect power source.
Press and hold Power off or Disconnect power source.
In the Turn on safe mode menu that appears, click OK.
Wait for the phone to reboot.

Users with other versions of Android should look online for information about how to enable safe mode for their particular phone.

Protecting against LokiBot

Here is what users should do to protect against LokiBot:

Never click on suspicious links.
Download apps only via Google Play, but be cautious even in the official store.
Install a reliable security solution on your phone and tablet.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.