LokiBot: If not stealing, then extorting

This versatile mobile banking Trojan morphs into ransomware on detecting a removal attempt.

Remember the Hydra of ancient mythology? The many-headed serpent that grew two heads when one was chopped off? A similarly dangerous beast has appeared in the Android malware zoo.

LokiBot as a banking Trojan

How do ordinary banking Trojans behave? They present the user with a fake screen that simulates the mobile banking interface. Unsuspecting victims enter their login credentials, which the malware redirects to the attackers, giving them access to the accounts.

How does LokiBot behave? Roughly the same way, but it simulates not only a banking app screen, but also WhatsApp, Skype, and Outlook client interfaces, displaying notifications purporting to come from these applications.

This means that a person can receive a fake notification, supposedly from their bank, saying that funds have been transferred to their account, and seeing the good news. then log in to the mobile banking client for confirmation. LokiBot even makes the smartphone vibrate when it displays the notification about the alleged transfer, which helps hoodwink even clued-in users.

But LokiBot has other tricks in store: It can open a browser, navigate to specific pages, and even use an infected device to send spam, which is basically how it distributes itself. Having pinched money from your account, LokiBot keeps going, sending a malicious SMS to all contacts in the phone book to infect as many smartphones and tablets as possible, and even replying to incoming messages if necessary.

If an attempt is made to remove LokiBot, the malware reveals another facet: To steal funds from a bank account, it needs administrator rights; if you try to deny it permission, it mutates from a banking Trojan into ransomware.

LokiBot as ransomware. How to unlock infected smartphone

In this case, LokiBot locks the screen and displays a message accusing the victim of viewing child pornography and demanding ransom; it also encrypts data on the device. Examining LokiBot’s code, researchers discovered that it uses weak encryption and doesn’t work properly; the attack leaves unencrypted copies of all files on the device, only under different names, so restoring the files is relatively simple.

However, the device screen is still locked, and the malware creators ask for about $100 in Bitcoin to unlock it. But you don’t have to oblige: After rebooting the device in safe mode, you can strip the malware of administrator rights and delete it. To do so, you first need to determine which version of Android you have:

  • Select Settings.
  • Select the General tab.
  • Select About the device.
  • Find the line Android version — the numbers below it indicate your OS version

To enable safe mode on a device with Version 4.4 to 7.1, do the following:

  • Press and hold the power button until a menu appears with the option Power off or Disconnect power source.
  • Press and hold Power off or Disconnect power source.
  • In the Turn on safe mode menu that appears, click OK.
  • Wait for the phone to reboot.

Owners of devices with other versions of Android should look online for information about how to enable safe mode for their particular phone.

Unfortunately, not everyone knows about this method of killing the malware: LokiBot victims have already coughed up nearly $1.5 million. And with LokiBot available on the black market for a mere $2,000, it is likely that the criminals responsible have repaid their investment many times over.

How to protect against LokiBot

In effect, the measures that can be taken to protect against LokiBot are applicable to any mobile malware. Here’s how to protect yourself:

– Never click on suspicious links — that’s how LokiBot spreads.

– Download apps only via Google Play — but be cautious even in the official store.

– Install a reliable security solution on your smartphone and tablet. Kaspersky Internet Security for Android detects all variants of LokiBot. With the paid version, there’s no need to scan the smartphone after installing each new application.